Hi Security and LTS folks,

Am 01.12.2016 um 15:54 schrieb Salvatore Bonaccorso:
> On Wed, Nov 30, 2016 at 04:05:20PM -0500, Antoine Beaupré wrote:
>> +nss (2:3.26.2-1+debu7u1) UNRELEASED; urgency=high
>> +
>> +  * Non-maintainer upload by the LTS Security Team.
>> +  * New upstream release to fix CVE-2016-9074
> Depending on what is done this should be either 2:3.26.2-0+debu7u1 or
> 2:3.26.2-1~debu7u1, but 2:3.26.2-1+debu7u1 is higher than 2:3.26.2-1.
> The former if you import new orig source on top of the previous
> packaging to indicate the new import and have a version which is
> before any possible such ones uploaded to unstable (which is even true
> in this case because 2:3.26.2-1 is currently in unstable). The later
> is often prefered if the package is mostly are build of :3.26.2-1 for
> Wheezy. (The later proposed version works obviously as well in the
> case of just a new upstream import, but Release team has often as well
> done that distinction for the ~debXuY suffix).

With this topic being discussed again and again recently, I suggest that
we should agree on a defined standard regarding the versioning of new
upstream releases uploaded to (old)?stable(-security)? and document it
somewhere. What do you think?

I don't have particular strong feelings on the exact versioning but I
think that the following should be considered:

*) New upstream releases in (old)?stable should use lover version
   numbers than their equivalent uploaded to unstable. This because
   packages uploaded to unstable are built using more recent versions
   of the build toolchain and libraries.
*) The versioning should make it obvious whether the new release is
   based on a similar upload to unstable or whether it's packaged
   solely for (old)?stable.

Consequently, the following (as already done for most uploads of new
releases to (old)?stable) is my suggestion:

*) Uploads of new upstream releases to (old)?stable that were packaged
   for unstable before should use the '~debXu1' suffix to the version
   number from unstable as they're basically backports of the package
   from unstable.
*) Uploads of new upstream releases that were not packaged for unstable
   yet or will never be, should use the '1.2.3-0+debXu1' format (given
   that '1.2.3' is the upstream version.

If we can agree on this, what would be the proper place to document it
for the future? Ideally, this should be mandatory for any uploads of new
upstream releases to the (old)?stable suites, be it to
(old)?stable-security, to stable-proposed-updates or to stable-updates.

Anything I forgot to consider?


Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to