Hi Raphael, On Fri, Oct 07, 2016 at 09:11:15AM +0200, Raphael Hertzog wrote: > Hi, > > On Thu, 06 Oct 2016, Adrian Bunk wrote: > > On Thu, Oct 06, 2016 at 06:16:37PM +0200, Raphael Hertzog wrote: > > > On Thu, 06 Oct 2016, Adrian Bunk wrote: > > >... > > > > Do you have any rationale why you think -1~deb7u1 would be better > > > > than -0+deb7u1? > > > > > > My preference goes for the former because it matches the logic of > > > backported packages and thus does not introduce a new concept while > > > -0+deb7u1 is not something we use in another context. > > > > -0+deb7u1 is a concept already used in DSAs for exactly this purpose. > > It's not always the case. Check out all the OpenJDK DSA, just like > MySQL we import newer upstream releases: > https://lists.debian.org/debian-security-announce/2016/msg00028.html > https://tracker.debian.org/pkg/openjdk-7 > > So while it has been used it's not the only one in use in the context > of the security team. > > > I just found a good example how the versioning you are suggesting could > > cause real problems: > > If you mix two versioning schemes for security updates in two releases, > you're going to have problems, that's granted. > > The point of this discussion is to find out on which of the two we should > standardize on. > > We should invite the security team in the discussion and then document the > recommended versioning scheme. > > I still continue to believe that -1~debXuY is enough and that -0+debXuY > is not required and even awkward when it's really a backported version > of something packaged in a newer release. > > But in the end, whatever is picked, it's not a big deal. What is important > is to record the result of the discussion in our LTS/security > documentation and ideally in the developers reference.
-0+deb8u1 and -1~deb8u1 have "different meanings". Here an explanation on the rought use how it's used for us, but I think the (S)RM as usaually giving similar advice on the versioning when it comes to a poroposed-update: If just import a new upstream version on top of the previous packaging, then we indicate this with a -0+deb8u1, which will sort as well before any -1 in unstable. Examples for such uploads are the already mentioned mysql-5.5, but as well php5 or mariadb-10.0. If it's basicaly/roughtly a rebuild of the upper suite version, then -1~deb8u1 will be similar to the bpo versions use and sort before the upper suite version. Hope this explains why on the different uses. Regards, Salvatore
