On Sat, Feb 6, 2016 at 4:31 PM, Stephen J. Turnbull <step...@xemacs.org> wrote: > However, the technical problem remains. For example, you mention > Debian. While Debian keeps its source and binary packages very close > to "in sync" on the server, there are several gotchas. For example, > Debian does not restrict itself to packaging patches, it sometimes > breaks your security when it thinks it's smarter than Bruce. So > ... is the corresponding source you're interested in the patched or > unpatched source? Do you know which you get when you install the > source package? Do you know how to get the other? Suppose for > reasons of stability you've "pinned" the binary. Is the corresponding > Debian source package still easily available? Did you think of that > gotcha when you installed the source package, or did you just assume > they were still in sync? I'm sure somebody with the "security > mindset" (eg, Bruce) can think of many more....
Right, sure. The technical problems are still there. Although I'm fairly confident that Debian's binaries would correspond to Debian's source - but honestly, if I'm looking for sources for anything other than the kernel, I probably want to get the latest from source control, rather than using the somewhat older version shipped in the repos. As to availability, though, most of the big distros (including Debian) keep their sources around for a long time. ChrisA _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
