RfD: Version conflicts when updating Drupal in Debian
Hi! Drupal, both version 5 and version 6, is a popular CMS and is in the Debian archive. Upstream regularly releases security updates, which is a good thing. Unfortunately Debians packaging is lagging behind. No, I don't want to blame the maintainer, who is doing a good job anyway. The problem is a different versioning between Drupal upstream and Debian packaging. For example the drupal6 package is version 6.6-1.1 while the problem which lead to 6.6-1.1 was fixed in upstream version 6.7. This in itself is not a real issue as it is the way how Debian works or is handling security issues. The problem comes with Drupals own checks. Since drupal6 the 3rd party update module from drupal5 was included into drupal6 core. With this addition to Drupal Core Modules the user/admin is now informed about (security) updates of installed modules, which is a good thing for security as well. But now there's a warning everytime an admin of a Drupal site about pending security issues logs in: |There is a security update available for your version of Drupal. To ensure |the security of your server, you should update immediately! See the |available updates page for more information. On the update page: |Drupal 6.6 Security update required! |Recommended version: 6.8 (2008-Dez-11) | |* Download |* Release notes | |Security update: 6.7 (2008-Dez-10) | |* Download |* Release notes | |Includes: Block, Blog, Color, Comment, Content translation, Database |logging, Filter, Forum, Help, Locale, Menu, Node, OpenID, PHP filter, Path, |Ping, Profile, Search, Statistics, System, Taxonomy, Tracker, Trigger, |Update status, Upload, User This is not only annoying but also irritating because of different versioning between what Drupal says itself and what is installed by Debian. (Well, yes, Debian seems to lag behind one version atm ;) So, how can this be solved so that our users are not irritated everytime they visit their own Drupal sites? -- Ciao...// Fon: 0381-2744150 Ingo \X/ http://blog.windfluechter.net gpg pubkey: http://www.juergensmann.de/ij_public_key.asc -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: RfD: Version conflicts when updating Drupal in Debian
Ingo Jürgensmann ij at 2008.bluespice.org writes: For example the drupal6 package is version 6.6-1.1 while the problem which lead to 6.6-1.1 was fixed in upstream version 6.7. [...] the user/admin is now informed about (security) updates of installed modules, which is a good thing for security as well. [...] So, how can this be solved so that our users are not irritated everytime they visit their own Drupal sites? 1. patch debian's drupal so it thinks it is equivalent to 6.7 in the above example; 2. patch debian's drupal to disable the check of debian-packaged drupal modules (maybe through debconf option?); 3. something else. Thanks, -- MJ Ray (slef) Webmaster for hire, statistician and online shop builder for a small worker cooperative http://www.ttllp.co.uk/ http://mjr.towers.org.uk/ (Notice http://mjr.towers.org.uk/email.html) tel:+44-844-4437-237 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: RfD: Version conflicts when updating Drupal in Debian
On Thu, Jan 08, 2009 at 12:11:33PM +0100, Ingo Jürgensmann wrote: So, how can this be solved so that our users are not irritated everytime they visit their own Drupal sites? By filing an appropriate bug in the BTS, if there is none already. cheers, Michael -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: RfD: Version conflicts when updating Drupal in Debian
Hi Ingo, Il giorno 08/gen/09, alle ore 12:11, Ingo Jürgensmann ha scritto: Unfortunately Debians packaging is lagging behind. No, I don't want to blame the maintainer, who is doing a good job anyway. The problem is a different versioning between Drupal upstream and Debian packaging. For example the drupal6 package is version 6.6-1.1 while the problem which lead to 6.6-1.1 was fixed in upstream version 6.7. Debian has a strict policy regarding packages freezed for a stable release: no new upstream version can be added once the archive has been freezed, while small changes can be applied via patches to packages currently in the archive. This is the reason why the security patch released in 6.7 has been integrated in drupal6_6.6-1.1. Obviously package version has not changed and will not change in future security release. So, how can this be solved so that our users are not irritated everytime they visit their own Drupal sites? Since drupal has is own check for upstream version and debian is commited to provide security patches for the lenny support life time, the best way to handle this issue is disable the new upstream check in debian packages. This will lead to a stable package with drupal 6.6 + all security patches, which will be almost 'up to date' for some months (at least until drupal 7). Can you please file a bug for this issue in debian BTS? Regards, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
