On Tue, Sep 02, 2003 at 11:09:55PM +0200, Ralf Nolden wrote: Content-Description: signed data > Hi, > > FYI, while communicating with Matt Zimmerman a couple of weeks back on > security issues for KDE (that the woody debs on kde.org have those fixed as > well - Martin Schulze included that info while he was doing that) we were > discussing things like that the KDE packages in sid are made from CVS > checkouts rather than from the original release tarballs. Matt would prefer > to get them build from the release tarballs with patchsets against CVS if you > need them - however, this is none of my business so you might want to check > with Matt how to proceed with your next upload as that's probably the last > chance to do it the way the security team would like to have things done for > sarge.
For one thing, we always need the updates from branch, KDE is notoriously buggy, just look at the bug list sometime ;). However, the orig.tar.gz in 99% of the cases is the KDE_3_1_X_RELEASE export minus all the autocrap and CVS dir crap that upstream ships in their tarballs. If debian f*cking supported decent change support, not just text diff then this could be 100% the case. Sometimes binary files change (eg png's) and in those cases I have to stuff them in orig.tar.gz since going through the uuencode/etc process is a REALLY BIG PITA. The resulting diff.gz that is built for uploads includes KDE_3_1_BRANCH (minus binary stuff) since the last release plus the autocrap. A new security release shouldn't be very hard to do for KDE 3 since you would just need to do a current KDE_3_1_BRANCH export and build it. I will never ship pristine upstream tarballs due to the CVS dir issue which Debian officially doesn't want either... so its a no win situation, someone in Debian will always be bitching. > I know making patchsets for every change requires a lot of time and effort but > you should seriously think about doing it; it will ensure more quality > control and give the security team a better base in case they will receive > security patches from KDE - again this is my personal opinion, I'm not a > debian developer yet that I could do this on my own but I would be willing to > help there. In future releases I can provide the diff.gz for security releases if wanted. I didn't provide them on 2.2 releases since I didn't maintain KDE during that time (not really anyway) and the build system was a mess, etc. Chris BTW - I make it a habit to never fix things directly in the diff.gz, if needed I make debian specific changes and then create diffs for them in the debian/patches dir.
