On 1 Feb 2011, at 15:15, Arjan van de Ven wrote: > On 2/1/2011 6:33 AM, Ross Burton wrote: >> Hi, >> >> So I've been investigating using Tumbler (thumbnailing daemon) in a >> project I'm working on. OBS Trunk had Tumbler 0.1.1 -- very old -- so I >> naturally grabbed upstream git and started patching it to suit our >> needs, with the aim of updating OBS Trunk to the latest release this >> week before the feature freeze. >> >> Then I find out that Tumbler 0.1.12 was just submitted to Trunk:Testing >> by Maitrey Mishra from Nokia. This confused me greatly because the >> upstream (XFCE-hosted) Tumbler is currently version 0.1.6 (released >> January 16th 2011). >> >> Does MeeGo have a policy on hostile forks that don't change name but >> continue the versioning as if they were their own? I'd expect the >> policy to be "don't do that" but apparently not, because this isn't the >> first instance that comes to mind. > > > if we have a tarbal in a package that is versioned/made to look like an > upstream tarbal, but is not identical > to the upstream tarbal, that is a HUGE problem (basically equivalent to > having a trojan added, since we can't tell > if that happened by comparing the tarbals). >
This is a huge problem, agree. perhaps Mishra can explain where he got the 0.1.12 from? Anas > If that is happening here then that needs to be rectified urgently. > > If someone feels the need to fork an upstream project, you must > 1) clearly mark the tarbal as such, ideally providing your fork as a patch, > not a new tarbal. But if your change is 100Kb or more, that may not be > practical > 2) keep the version of the project you forked from; so if you forked 0.1.6 > you name your tarbal 0.1.6.forked.01 or so.. > > _______________________________________________ > MeeGo-packaging mailing list > [email protected] > http://lists.meego.com/listinfo/meego-packaging _______________________________________________ MeeGo-packaging mailing list [email protected] http://lists.meego.com/listinfo/meego-packaging
