On Wednesday, 28 October 2020 6:13:41 AM AEDT Moritz Mühlenhoff wrote:
> The bigger issue here (independent of the whole vendoring aspect) is
> how kubernetes can be supported in a stable release to begin with.
> This was raised by Shengjing Zhu in #959685 before.

If Kubernetes can be supported then such support will be done by upstream,
but with extraordinary amount of dependencies (and upstream reluctance to 
manage them), I have very low confidence and low expectations for quality
of such support. The problem primarily is that Kubernetes vendors hundreds
of dependencies representing a large support surface. Effectively it is
"#include world" (or vendor world) situation. And when it comes to problems
in 3rd party vendored libraries, it iw worth remembering that Kubernetes 
don't own them.

> This leaves Debian with two options:
> * Keep it out of a stable release and accept that it's good enough
>   if people just install whatever deb they currently find in testing/sid
>   (works out well enough for most given that blob nature of Go!)

IMHO this is the most reasonable option and perhaps the only viable one.

> * Follow a scheme similar to Firefox ESR where in case of a security
>   the update either happens to the latest minor release of
>   the current branch or if that has stopped, happens to the next
>   major release.

I think Kubernetes have many more vendored 3rd party libraries than Firefox.
IMHO we can not expect the same level of confidence for Kubernetes...

Best wishes,
 Dmitry Smirnov
 GPG key : 4096R/52B6BBD953968D1B


You have to start with the truth. The truth is the only way that we can
get anywhere. Because any decision-making that is based upon lies or
ignorance can't lead to a good conclusion.
    -- Julian Assange, 2010

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to