On Tuesday 03 February 2004 17:29, Dan Armak wrote: > > I meant a scenario like this: > - foo-1 and mylib-1 are in the stable tree. > - Time passes and mylib-2 and foo-2 enter the main tree. > - One day exploits are found in foo; foo-2-r1 which contains the fixes is > added to the stable tree. It only depends on >=mylib-1, so mylib-2 isn't > added to the stable tree. > - The combination foo-2 + mylib-1 is buggy. But no-one ever tested it, > because foo-2 came out after mylib-2 and that's what everone tested it > with. So the bug will make its first appearence in the stable tree. > > This is an unlikely event but with a big enough tree with lots of > interdependencies it will happen occasionally. Similar things happen > sometimes in the main tree, and we have to change a dep to require the > latest version of a library, not because the library's new functionality or > interface is required, but because the new app version triggers bugs in the > old library version. > > (I'm reminded of the libxml2/libxslt vs. kde docs versioning story, though > that was somewhat different...)
That's why I am in favor of backporting security fixes unless it is absolutely impossible. The big question is, can we pull that off? I don't know? For me a fixed tree means that it does not change unless. And in case a change is unavoidable, it changes as little as possible -> backporting security fixes. Paul -- Paul de Vrieze Gentoo Developer Mail: [EMAIL PROTECTED] Homepage: http://www.devrieze.net
pgp00000.pgp
Description: signature
