On Mon, Oct 15, 2018 at 11:00:24AM -0700, Jonathan Nieder wrote:
> Hi,
>
> Emilio Pozuelo Monfort wrote:
> >>>> Michael Gilbert wrote:
>
> >>>>> Major updates to chromium in stable have so far been contingent on it
> >>>>> being a leaf package, where there is no chance for it to break
> >>>>> anything else. Adding CEF as a reverse dependency would change that.
>
> ^^
>
> > On 15/10/2018 19:19, Steinar H. Gunderson wrote:
> >> On Mon, Jul 02, 2018 at 12:29:15PM +0200, Steinar H. Gunderson wrote:
>
> >>> Release team, for the short recap: Would it be acceptable to have chromium
> >>> provide a chromium-source binary package, and then package CEF (Chromium
> >>> Embedded Framework) Build-Depending on that package, and then have other
> >>> packages depend on CEF? CEF aims to provide a stable API/ABI on top of
> >>> Chromium for other software to use, but needs updating whenever Chromium
> >>> releases a new major version. See #893448 for some more details.
> >>
> >> Ping :-) Release team, do you want to weigh in? If nothing else, perhaps we
> >> could add a CEF package in unstable only (ie., with a testing blocker bug)
> >> for the time being.
> >>
> >> FWIW, I've updated my CEF packages to CEF/Chromium 69; all that was
> >> required was
> >> to patch out installation of Swiftshader (since Debian's packages now
> >> disable it).
> >
> > I'm not sure we (RT) need to make any decision here.
> >
> > Adding a chromium-src for other packages to build against is not special in
> > any
> > way, we don't approve this for other packages.
>
> However, you do have some say in whether a package is able to have
> non-trivial updates in stable. Can we infer from your reply that
> you're still okay with this for Chromium even if CEF relies on it,
> provided security team is okay with it?
>
> > As for the security support concerns, that's up to the security team.
>
> Therefore cc-ing security team.
Ultimately this is up for Michael to decide, as he's dealing with Chromium
updates single-handedly.
Personally I have no reservations against this entering unstable, but this
doesn't sound
like something that should enter a stable release. If the Chrome development
team with
it's hundreds of full time developers can't/wont commit to a stable interface
for these
kinds of extensions, why should we kludge around this with our sparse resources?
This is rather that kind of wacky
not-really-suitable-for-stable-but-still-kinda-nice stuff
we should have PPAs for.
Cheers,
Moritz
