"Rodney Dawes" <rodney.da...@canonical.com> wrote:
>On Sat, 2010-11-27 at 12:10 -0800, Clint Byrum wrote: >> Also, why would 10.10 need to be updated in any way if it already >> supports the newer protocol? > >In 10.10 and 11.04, we already ship CouchDB 1.0. Why should users >continue to have two versions installed after an upgrade to either of >those versions of Ubuntu? We will have to ship updates so that the >package splitting we might do, would be reconciled on upgrade. > As long as the security fixes are done for the existing packages it's harmless for them to remain installed. Once the u-one client no longer depends on it, it should be eligible for auto removal in any case. Fixing the upgrade case can be easily handled by update-manager. >> > There are also other security fixes included in the set of changes >from >> > 0.10 to 1.0, which means anyone actually using 0.10 is probably >going to >> > have to update anyway. >> > >> >> Our security team backports security fixes to the released version in >an >> LTS, so I'm not sure how that is relevant. >> > >The situation is similar to that of Firefox. CouchDB is not a simple >package. The fixes are not simply applied to the older version. They >are >fairly invasive. Otherwise, we wouldn't be having this 3 month long >conversation trying to come up with an amicable solution for all >parties, as we would have already backported the fix we need. And I'm >sure an SRU would have been in that case, were it possible. With >Firefox >and other Mozilla projects in the past, security updates have been >issued by upgrading to a newer major version of the package in >question. This is not even remotely like Firefox. Scott K -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel