On Tue, Feb 03, 2004 at 05:30:19PM +0200 or thereabouts, Dan Armak wrote: > I don't understand this comment. The developers would still work against a cvs > tree that contains all the latest stable stuff (base + changes) so why would > there be a problem with deps that wasn't in the orig GLEP?
Sorry -- I should have spelled this out a little more. One of Spider's points was that people may not want to update every quarter -- they might prefer an annual update cycle. We're facilitating this by guaranteeing ebuilds will be in the tree at least a year. However, if we're supporting distributions of the stable tree via tbz2s and security/bugfixes via rsync, then I can see a problem with some of the security/bugfixes requiring dependencies that aren't in some of the older trees. As a (purely hypothetical) example: The 2004.0 stable tree gets released and includes OpenSSL 0.9.6 ...11 months passes by... A security vulnerability is found in gaim. The new gaim ebuild is added to the tree, but it depends on OpenSSL 0.9.7. Now anyone using 2004.0 is going to have problems. We could work around this by including OpenSSL 0.9.7 in the security/update tree, but that also has a couple of problems: * how can we easily figure out that OpenSSL 0.9.7 needs to get in there in the first place. * It, in and of itself, isn't a security/bug fix update, yet anyone running the stable tree is going to get it as such the next time they sync their tree. --kurt
pgp00000.pgp
Description: PGP signature
