> On Sun, Jul 31, 2005 at 11:10:04PM +0400, Nikita V. Youshchenko wrote: >> As it is being currently discussed on debian-security [1], security >> team has hard times supporting mozilla family of packages, because of >> unfriendly upstream policy - they don't want to isolate security fixes >> from a large changesets of new upstream releases. And given the huge >> size of the package, isolating security patches at Debian level also >> fails. > [..] >> Maybe in rare cases like this one, when these seems to be no other way >> to keep important package set secure, we should allow new upstream >> into Debain Stable? > > What happens if they require new versions of libraries which already > exist in stable?
It depends on the nature of the dependency. If recompilation against version in debian stable is possible, no problem. This will be the case in most situations I believe. If some new library feature will be needed - it's more interesting. Probably should be examined on case-by-case basis. > I think you need a couple of ways out and to decide between them > possibly just leaving well alone and making users aware of the issue > (perhaps pointing them at volatile?) if library upgrades are needed as > well as the case where new self-contained upstreams could be allowed in. > > Is volatile not a better general place for such packages though really? > Maybe we just need more emphasis on volatile to our users. (i.e. get > the installer to prompt about it etc). I don't have anything agaist using volatile for this. The only thing that is IMHO a must - it should still be possible to install/upgrade/uninstall packages with normal debian package management tools. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
