Hi Paul, On Mon, Jul 7, 2025 at 4:44 PM Paul Gevers <elb...@debian.org> wrote: > > Hi Sergei, > > Sorry for taking a while. > > On 6/27/25 09:25, Sergei Golovan wrote: > >> Can you please check our FAQ [1] and try to answer the questions listed > >> in the "new upstream" section? I'll note that erlang is a key package. > > > > Sorry, I was too brief in theis bugreport. Should've added more detail. > > > Thanks for your further comments. Can you still answer whether there's > an upstream policy for a release like this one? Judging from the > numbering, upstream considers this a fix release, but I'm guessing here. > Do they have a policy (that you can link) for such releases?
I don't know about a formal policy document which would describe bugfix or feature releases. As far as I know, there are three major releases supported upstream at any moment. For now they are 28, 27 and 26. Releases like 28.1, 28.2 etc are considered as feature releases, releases like 28.1.2, 28.1.3 are considered as bugfix releases, though occasionally they include some new features. After the next major release (28 in our case) is out, the previous release version freezes (27.3.4 in our case), and then only bugfixes are committed into it, with versions like 27.3.4.1, 27.3.4.2 etc.). Usually, new major release happens in May or June, so we don't follow these minor-minor releases closely (as we are already in a deep freeze when they start to appear). We never updated versions in debian/stable to such releases, and only cherry-picked changes that were important enough. The current situation is a bit special, because trixie is still not stable and 27.3.4.1 contains an important fix (along with a few other smaller fixes). > > > In my opinion, not only fixing CVE-2025-4748, but also at least > > changes in SSH are useful > > enough to be included in trixie. Fixes for crashes in the Erlang shell > > improve usability > > as well (though I never experienced them myself). > > > Sounds like we should do this, but knowing upstreams policy would make > me more confident. Unfortunately, I can't find any formal policy. On the other hand, the changes in 27.3.4.1 are not too intrusive, as I can see. Cheers! -- Sergei Golovan
