Web lists-archives.com

Re: Auto-update for sid? Auto-backport?

Hello Steffen,

On Wed, Nov 15 2017, Steffen Möller wrote:

> I would really like to see updates performed in some automated
> fashion.  Maybe into a different section of Debian like sid-auto? The
> problem with that obviously is the missing scrutiny by the human
> maintainer, so it cannot go straight into sid. Or can it? Maybe with
> an auto-created bug report against the package so it does not
> auto-migrate into testing?

There is an interesting social dimension to the scrutiny by a human
maintainer.  Debian package maintainers rarely review in detail the full
diffs between upstream releases, relying instead on trust relationships
that exist with upstream maintainers.  However, I suspect that those
trust relationships are supported in turn by the knowledge that the
Debian maintainer /could/ review the full diff, or do a partial review.

If an upstream author knows their code will go straight into an active
Debian suite when they push a git tag to GitHub, the trust dynamic is
changed, I think for the worse.

> A similar situation I see with backports. Most commonly all that is
> needed is a recompilation. Would an automation of that process be
> acceptable? Would it be acceptable for packages that offer some means
> of automated testing and are in backports already?

This seems much riskier, because we're talking about packages that get
installed on stable systems, which are more likely to be doing
security-sensitive work (I know that we don't give the same guarantees
for stable+backports that we do for stable, but the point remains).

Sean Whitton

Attachment: signature.asc
Description: PGP signature