Hi Marco, Thanks for raising these questions!
Quoting Marco Falke (2019-11-14 18:20:40) > Are there any users of the package currently? Debian has no reliable way to measure users (that's a feature, not a bug), but our main indicator - popcon - indeed shows weak popularity: https://qa.debian.org/popcon.php?package=bitcoin Hint: Instead of above URL you might instead use the link to popcon in the right pane of the developer's overview at https://tracker.debian.org/bitcoin > What is the point of > maintaining the package when it is only in unstable? Point is to make it available to as many as possible. Currently that. means only users of Debian unstable but hope and expectation is to do better than that. > I'd presume some of the reasons are identical to the reasons that the > firefox package is only in unstable: > https://packages.debian.org/sid/firefox ? Somewhat related, yes: Firefox releases (and Firefox ESR as well) have a lifespan too short for Debian stable. Bitcoin releases have in the past also had a too-short-for-Debian-stable lifespan, but hopefully that will slow down (as per the lifecycle link you reference yourself further below). Even if unsuitable for Debian stable, some derivatives of Debian rely not on Debian stable but Debian testing, and would be able to distribute Bitcoin even when Debian itself cannot. > In the past, the package has been disabled, because security updates > were not applied in a timely manner: > https://lists.debian.org/debian-backports/2013/12/msg00062.html > Do you think it would be possible to maintain the Debian Bitcoin Core > package in stable (or oldstable) in a way that upstream security > releases are followed? Yes, sort of... What I expect to be realistic is including e.g. 0.20.0 shortly before freeze of bullseye, have it included when bullseye becomes stable 3-6 months later, and then when 0.20.1 comes out cherry-pick security-related patches from that (or possibly use upstream release directly if it _only_ contains conservative minimal security-related changes) and push that the stable, and repeat for each minor release of 0.20 branch, and finally when upstream drops support for 0.20 branch either let it bitrot until a severe flaw is discovered that noone contributes a patch for, or proactively kick it out of stable/unstable. > Note that for firefox there is a firefox-esr version which is kept up > to date even for Debian versions released a long time ago. firefox-esr is treated specially in Debian: Unlike packages generally in Debian, major upstream changes - not only security fixes - are permitted into stable and oldstable for that package. > Do you think that the long term support of Debian for releases does > not go well with the EOL policy of Bitcoin Core? See > https://bitcoincore.org/en/lifecycle/ (odd that you ask that question negated) My discovering that lifecycle page boosted my hope on some day having bitcoin included in a stable release of Debian. Would certainly be better if upstream could security-maintain their releases even longer, but this is already quite good. Does that somehow answer your question? Kind regards, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
