Hi, On Thu, 06 Oct 2016, Adrian Bunk wrote: > On Thu, Oct 06, 2016 at 06:16:37PM +0200, Raphael Hertzog wrote: > > On Thu, 06 Oct 2016, Adrian Bunk wrote: > >... > > > Do you have any rationale why you think -1~deb7u1 would be better > > > than -0+deb7u1? > > > > My preference goes for the former because it matches the logic of > > backported packages and thus does not introduce a new concept while > > -0+deb7u1 is not something we use in another context. > > -0+deb7u1 is a concept already used in DSAs for exactly this purpose.
It's not always the case. Check out all the OpenJDK DSA, just like MySQL we import newer upstream releases: https://lists.debian.org/debian-security-announce/2016/msg00028.html https://tracker.debian.org/pkg/openjdk-7 So while it has been used it's not the only one in use in the context of the security team. > I just found a good example how the versioning you are suggesting could > cause real problems: If you mix two versioning schemes for security updates in two releases, you're going to have problems, that's granted. The point of this discussion is to find out on which of the two we should standardize on. We should invite the security team in the discussion and then document the recommended versioning scheme. I still continue to believe that -1~debXuY is enough and that -0+debXuY is not required and even awkward when it's really a backported version of something packaged in a newer release. But in the end, whatever is picked, it's not a big deal. What is important is to record the result of the discussion in our LTS/security documentation and ideally in the developers reference. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
