Re: What can Debian do to provide complex applications to its users?

On Fri, Mar 09, 2018 at 02:07:19AM +0100, gregor herrmann wrote: > On Thu, 08 Mar 2018 23:03:17 +0200, Adrian Bunk wrote: > > > The first question should always be if/how we can provide something that > > is better than what is already available elsewhere. > > An answer to that question might

Re: What can Debian do to provide complex applications to its users?

On Fri, Mar 09, 2018 at 02:07:19AM +0100, gregor herrmann wrote: > We might need an archive area which is independent of our release > suites. .oO( PPAs ) -- cheers, Holger signature.asc Description: PGP signature

Re: What can Debian do to provide complex applications to its users?

On Thu, 08 Mar 2018 23:03:17 +0200, Adrian Bunk wrote: > The first question should always be if/how we can provide something that > is better than what is already available elsewhere. An answer to that question might often be: "because it integrates into a Debian system". -- This is also an

Re: What can Debian do to provide complex applications to its users?

On Tue, Feb 27, 2018 at 02:13:41PM +0100, Didier 'OdyX' Raboud wrote: >... > In other words, vendorization is the tool that allows developers to get rid > of > distribution constraints and get on with their development through installing > the dependencies from their ecosystem as they see fit

Re: What can Debian do to provide complex applications to its users?

On Tue, Feb 27, 2018 at 02:14:02PM +, Simon McVittie wrote: >... > Also, the security team specifically don't provide security > support for libv8, which apparently extends to node-* packages like > , so it's > hard to see how

Re: What can Debian do to provide complex applications to its users?

Hello, On Sun, Mar 04 2018, Didier 'OdyX' Raboud wrote: > Le mardi, 27 février 2018, 14.13:41 h CET Didier 'OdyX' Raboud a >écrit : >> tl;dr: a new package format is needed, with a new non-suite-specific >> repository is needed to bring the Debian added-value to these >> ecosystems. > > FTR, my

Re: What can Debian do to provide complex applications to its users?

Le mardi, 27 février 2018, 14.13:41 h CET Didier 'OdyX' Raboud a écrit : > tl;dr: a new package format is needed, with a new non-suite-specific > repository is needed to bring the Debian added-value to these ecosystems. FTR, my current line of thought and understanding is that guix or nix do

Re: What can Debian do to provide complex applications to its users?

On Thu, 2018-03-01 at 09:53 +0100, Didier 'OdyX' Raboud wrote: > Maybe what we need is a packaged nix and a standardized nix repository. There is an ITP and RFS: https://bugs.debian.org/877019 https://bugs.debian.org/877331 I assume Nix/NixOS have a standard repo already. -- bye, pabs

Re: What can Debian do to provide complex applications to its users?

Hello, On Thu, Mar 01 2018, Didier 'OdyX' Raboud wrote: > In pretty much the same vein as dh-virtualenv, a possibility would be > to do install-time build, through triggers for example. Just to note that the emacsen-common infrastructure does this too, as another place to look for a working

Re: What can Debian do to provide complex applications to its users?

Holger Levsen writes ("Re: What can Debian do to provide complex applications to its users?"): > On Thu, Mar 01, 2018 at 10:26:27AM +0100, Didier 'OdyX' Raboud wrote: > > Good point: not all versions are desirable; "majors" can be installed in > > parallel,

Re: What can Debian do to provide complex applications to its users?

Didier 'OdyX' Raboud writes ("Re: What can Debian do to provide complex applications to its users?"): > Le mercredi, 28 février 2018, 06.06:54 h CET Sean Whitton a écrit : > > No, but we might often have reason to maintain a small delta. We patch > > upstream source

Re: What can Debian do to provide complex applications to its users?

Didier 'OdyX' Raboud writes ("Re: What can Debian do to provide complex applications to its users?"): > Le mardi, 27 février 2018, 14.48:48 h CET Ian Jackson a écrit : > > Instead, establish a formal convention about embedding the (stable > > part of) the version n

Re: What can Debian do to provide complex applications to its users?

On Thu, Mar 01, 2018 at 10:26:27AM +0100, Didier 'OdyX' Raboud wrote: > Good point: not all versions are desirable; "majors" can be installed in > parallel, "minors" are updates to the formers. I dont get this, your minor difference may make a major difference to me. So if you/we were allowing

Re: What can Debian do to provide complex applications to its users?

Le mardi, 27 février 2018, 15.14:02 h CET Simon McVittie a écrit : > Here is a different straw man, which I think might be similarly effective > and a lot less work: > > On Tue, 27 Feb 2018 at 14:13:41 +0100, Didier 'OdyX' Raboud wrote: > > As Debian, we > > are insisting that our releases

Re: What can Debian do to provide complex applications to its users?

Le mercredi, 28 février 2018, 06.06:54 h CET Sean Whitton a écrit : > > Furthermore, abandon the patch queue approach to Debian package > > management. We will not be able to maintain a big delta to any of > > these packages anyway. > > No, but we might often have reason to maintain a small

Re: What can Debian do to provide complex applications to its users?

Le mardi, 27 février 2018, 14.48:48 h CET Ian Jackson a écrit : > I have some specific comments: > > Imagine > > * a new .vdeb format variant that: > > ** enables for multiple versions to be installed in parallel, where files > >are unpacked in a version-specific paths > > Instead, establish

Re: What can Debian do to provide complex applications to its users?

Le jeudi, 1 mars 2018, 06.29:37 h CET Paul Wise a écrit : > On Tue, Feb 27, 2018 at 9:13 PM, Didier 'OdyX' Raboud wrote: > > Now, as a strawman proposition, here's what I fiddled with in my mind for > > some days now: > This reminds me a bit of Nix or Gentoo Prefix. Yes, only for the upper

Re: What can Debian do to provide complex applications to its users?

Le mercredi, 28 février 2018, 06.04:27 h CET Sean Whitton a écrit : > On Tue, Feb 27 2018, Didier 'OdyX' Raboud wrote: > > ** is restricted to be arch:all (~ shipping interpreter scripts) > > There are compiled binary ecosystems that would benefit from your > proposal, such as Haskell, so could

Re: What can Debian do to provide complex applications to its users?

Le mercredi, 28 février 2018, 04.57:50 h CET Russell Stuart a écrit : > On Tue, 2018-02-27 at 14:13 +0100, Didier 'OdyX' Raboud wrote: > > > - we could ship those applications not as .deb but as container > > > > > > and let them have their own lifecycle > > > > tl;dr: a new package format is

Re: What can Debian do to provide complex applications to its users?

On Tue, Feb 27, 2018 at 9:13 PM, Didier 'OdyX' Raboud wrote: > Now, as a strawman proposition, here's what I fiddled with in my mind for some > days now: This reminds me a bit of Nix or Gentoo Prefix. > ** is restricted to be arch:all (~ shipping interpreter scripts) Hmm, so this isn't going

Re: What can Debian do to provide complex applications to its users?

Simon McVittie writes ("Re: What can Debian do to provide complex applications to its users?"): > Here is a different straw man, which I think might be similarly effective > and a lot less work: FTR, even though I am trying to participate constructively and help refine Didier's p

Re: What can Debian do to provide complex applications to its users?

Sean Whitton writes ("Re: What can Debian do to provide complex applications to its users?"): > On Tue, Feb 27 2018, Ian Jackson wrote: > > I would like to suggest a radical approach to the source code > > management for your system: abandon source *packages* in favour o

Re: What can Debian do to provide complex applications to its users?

Hello Ian, On Tue, Feb 27 2018, Ian Jackson wrote: > I would like to suggest a radical approach to the source code > management for your system: abandon source *packages* in favour of git > trees. Why do you think Didier's proposal, in particular, represents an opportunity to do this? Is it

Re: What can Debian do to provide complex applications to its users?

Hello Didier, Thanks for sharing this. On Tue, Feb 27 2018, Didier 'OdyX' Raboud wrote: > ** is restricted to be arch:all (~ shipping interpreter scripts) There are compiled binary ecosystems that would benefit from your proposal, such as Haskell, so could you say more about why you want this

Re: What can Debian do to provide complex applications to its users?

On Tue, 2018-02-27 at 14:13 +0100, Didier 'OdyX' Raboud wrote: > > - we could ship those applications not as .deb but as container > >   and let them have their own lifecycle > > tl;dr: a new package format is needed, with a new non-suite-specific  > repository is needed to bring the Debian

Re: What can Debian do to provide complex applications to its users?

Here is a different straw man, which I think might be similarly effective and a lot less work: On Tue, 27 Feb 2018 at 14:13:41 +0100, Didier 'OdyX' Raboud wrote: > As Debian, we > are insisting that our releases ideally only contain a single version of a > software, that we insist is made

Re: What can Debian do to provide complex applications to its users?

Ian Jackson writes ("Re: What can Debian do to provide complex applications to its users?"): > The primary difficulty we have with Red Queen's Race [1] ecosystems is > the lack of stable ABI/APIs, the tight binding of versions, and the > rapid update cycle. Missing footnot

Re: What can Debian do to provide complex applications to its users?

Didier 'OdyX' Raboud writes ("Re: What can Debian do to provide complex applications to its users?"): > Now, as a strawman proposition, here's what I fiddled with in my mind for > some > days now: > > Imagine > * a new .vdeb format variant that: > *

Re: What can Debian do to provide complex applications to its users?

Le vendredi, 16 février 2018, 16.11:29 h CET Raphael Hertzog a écrit : > I don't have any definite answers although there are ideas to explore: > > - we could relax our requirements and have a way to document the > limitations of those packages (wrt our usual policies) > > - we could ship

Re: What can Debian do to provide complex applications to its users?

On Fri, Feb 16, 2018 at 04:11:29PM +0100, Raphael Hertzog wrote: > Hello everybody, > > the fact that I had to request the removal of dolibarr from Debian makes > me sad (see below for the reasons) and I believe that we should be able > to do better to provide complex applications to our end

Re: What can Debian do to provide complex applications to its users?

On Wed, 21 Feb 2018, Vincent Bernat wrote: > ❦ 21 février 2018 07:07 +0100, Alexander Wirt  : > > > No, backports doesn't have official security support in the meaning that > > the team is tracking and looking after security issues in backports. > > Nevertheless every

Re: What can Debian do to provide complex applications to its users?

❦ 21 février 2018 07:07 +0100, Alexander Wirt  : > No, backports doesn't have official security support in the meaning that > the team is tracking and looking after security issues in backports. > Nevertheless every backporter has to care about security, we do expect that >

Re: What can Debian do to provide complex applications to its users?

On Tue, 20 Feb 2018, Vincent Bernat wrote: > ❦ 20 février 2018 09:05 +0200, Arto Jantunen  : > > >> Moreover, backports do not accept security patches. You can only push a > >> version in testing (or unstable). Notably, if the version in testing is > >> not easily backportable

Re: What can Debian do to provide complex applications to its users?

On Wed, Feb 21, 2018 at 4:10 AM, Gunnar Wolf wrote: > It's sometimes hard to explain why we need updated software... Perhaps it helps to point out where Debian and users are placed in the ecosystem of software, hardware, technology and society and the pressures that each actor places on other

Re: What can Debian do to provide complex applications to its users?

On Tue, Feb 20, 2018 at 11:27 PM, Adam Borowski wrote: > And without security support for its dependencies, no reproducible build > system, etc. That isn't necessarily the case for Flatpak, it all depends on who is doing the build and what their policies and procedures are. -- bye, pabs

Re: What can Debian do to provide complex applications to its users?

Philipp Kern dijo [Mon, Feb 19, 2018 at 09:18:13AM +0100]: > Putting security support over all else is surely how some people see it. But > some upstreams also complain if you are going to ship ancient versions > because the most recent ones contain all of the fixes. It's certainly more > work to

Re: What can Debian do to provide complex applications to its users?

Raphael Hertzog dijo [Mon, Feb 19, 2018 at 03:19:59PM +0100]: > On Fri, 16 Feb 2018, Jonathan Carter (highvoltage) wrote: > > > - we could relax our requirements and have a way to document the > > > limitations of those packages (wrt our usual policies) > > > > Which requirements are you

Re: What can Debian do to provide complex applications to its users?

On Tue, Feb 20, 2018 at 04:02:00PM +0200, Adrian Bunk wrote: > You were talking about flatpak. > > The whole point of flatpak is that the same app is equally integrated > in all Linux distributions. And without security support for its dependencies, no reproducible build system, etc. Dᴏ ɴᴏᴛ

Re: What can Debian do to provide complex applications to its users?

Hi all, This e-mail isn't in reply to any specific e-mail in this thread but I like to add some words that may or may not inspire others for ideas. It is my intent to soon start working¹ on the Debian bikesheds (or Debian's PPA). Depending on requirements and use cases we may be able to use

Re: What can Debian do to provide complex applications to its users?

On Tue, Feb 20, 2018 at 11:56:04AM +0100, Michael Meskes wrote: > > > Right, and that's why we were talking about stuff like flatpak that > > > bring the application with its dependencies, more or less like a > > > container. > > > > That's a better solution for such cases than shipping the

Re: What can Debian do to provide complex applications to its users?

> > Right, and that's why we were talking about stuff like flatpak that > > bring the application with its dependencies, more or less like a > > container. > > That's a better solution for such cases than shipping the software > in Debian. > > And it's distribution-agnostic, meaning it can be

Re: What can Debian do to provide complex applications to its users?

On 19/02/2018 20:42, Michael Meskes wrote:= >> Various other packages in stable won't work with the latest Node.js >> and will also require upgrading. >> >> In the Node.js ecosystem it is par for the course when upgrading >> a package breaks countless reverse dependencies. > Right, and that's why

Re: What can Debian do to provide complex applications to its users?

❦ 20 février 2018 09:05 +0200, Arto Jantunen  : >> Moreover, backports do not accept security patches. You can only push a >> version in testing (or unstable). Notably, if the version in testing is >> not easily backportable (because of new dependencies), you may wait >> quite

Re: What can Debian do to provide complex applications to its users?

Vincent Bernat writes: > Moreover, backports do not accept security patches. You can only push a > version in testing (or unstable). Notably, if the version in testing is > not easily backportable (because of new dependencies), you may wait > quite some time before you get a

Re: What can Debian do to provide complex applications to its users?

❦ 19 février 2018 22:59 GMT, Craig Small  : >> >> a bit like backports that are not security supported >> >> either. >> > >> > this is now the 2nd mail within 24h were you claim this *wrongly*. >> > >> > backports are (supposed to be) getting security support. if you dont do

Re: What can Debian do to provide complex applications to its users?

Michael Meskes writes: [...] > Maybe you answered your question yourself. How about we tie our > security support to upstream's? Instead of fixing and backporting > ourselves we promise our users that this section of the archive will > get upstream's latest fixes even if

Re: What can Debian do to provide complex applications to its users?

On Tue, 20 Feb. 2018, 09:44 Vincent Bernat, wrote: > ❦ 19 février 2018 22:33 GMT, Holger Levsen : > > >> a bit like backports that are not security supported > >> either. > > > > this is now the 2nd mail within 24h were you claim this *wrongly*. > > >

Re: What can Debian do to provide complex applications to its users?

❦ 19 février 2018 22:33 GMT, Holger Levsen  : >> a bit like backports that are not security supported >> either. > > this is now the 2nd mail within 24h were you claim this *wrongly*. > > backports are (supposed to be) getting security support. if you dont do > this for

Re: What can Debian do to provide complex applications to its users?

On Mon, Feb 19, 2018 at 08:44:58PM +0100, Vincent Bernat wrote: > a bit like backports that are not security supported > either. this is now the 2nd mail within 24h were you claim this *wrongly*. backports are (supposed to be) getting security support. if you dont do this for your backports, you

Re: What can Debian do to provide complex applications to its users?

On 2018-02-19 at 16:03, Adrian Bunk wrote: > On Mon, Feb 19, 2018 at 03:52:30PM -0500, Roberto C. Sánchez wrote: > >> On Mon, Feb 19, 2018 at 10:16:56PM +0200, Adrian Bunk wrote: >>> Debian already does "security by upstream releases" for Firefox, >>> and this clearly shows why this is

Re: What can Debian do to provide complex applications to its users?

On Mon, Feb 19, 2018 at 03:52:30PM -0500, Roberto C. Sánchez wrote: > On Mon, Feb 19, 2018 at 10:16:56PM +0200, Adrian Bunk wrote: > > On Mon, Feb 19, 2018 at 08:40:12PM +0100, Michael Meskes wrote: > > >... > > > > An example what "no security support" means in practice: > > > > > > I don't

Re: What can Debian do to provide complex applications to its users?

On Mon, Feb 19, 2018 at 09:42:28PM +0100, Michael Meskes wrote: > > > And why wouldn't we offer said upstream version instead of the > > > unsupported older one? > > > > In some cases this might require changing literally thousands of > > packages in stable. > > > > Imagine said upstream

Re: What can Debian do to provide complex applications to its users?

On Mon, Feb 19, 2018 at 09:42:28PM +0100, Michael Meskes wrote: > > Right, and that's why we were talking about stuff like flatpak that > bring the application with its dependencies, more or less like a > container. > Which happens to bring with an entirely different set of problems. That said,

Re: What can Debian do to provide complex applications to its users?

On Mon, Feb 19, 2018 at 10:16:56PM +0200, Adrian Bunk wrote: > On Mon, Feb 19, 2018 at 08:40:12PM +0100, Michael Meskes wrote: > >... > > > An example what "no security support" means in practice: > > > > I don't think anyone suggest "no security", but something like > > "security by upstream

Re: What can Debian do to provide complex applications to its users?

> > And why wouldn't we offer said upstream version instead of the > > unsupported older one? > > In some cases this might require changing literally thousands of > packages in stable. > > Imagine said upstream version requires the latest Node.js. > > Various other packages in stable won't

Re: What can Debian do to provide complex applications to its users?

On Mon, Feb 19, 2018 at 08:44:58PM +0100, Vincent Bernat wrote: >... > Or we could put those software in a special repository (called "unsupported") >... What about calling it "nsa-enablement"? Cause that's what it is. But to be fair, no longer installing packages without security support in

Re: What can Debian do to provide complex applications to its users?

On Mon, Feb 19, 2018 at 08:40:12PM +0100, Michael Meskes wrote: >... > > An example what "no security support" means in practice: > > I don't think anyone suggest "no security", but something like > "security by upstream releases". How can you guarantee that to our users for buster until

Re: What can Debian do to provide complex applications to its users?

On Mon, Feb 19, 2018 at 08:35:29PM +0100, Michael Meskes wrote: > > What is the user supposed to do when Debian announces that some > > software essential for that user is no longer supported in the > > stable release the user is using? > > Again, where does this differ from the user realizing

Re: What can Debian do to provide complex applications to its users?

❦ 19 février 2018 20:36 +0200, Adrian Bunk  : >> Debian is not only about security support. We provide packages without >> security support. We also have backports that come without security >> support either. This is still better than installing random packages >> made by

Re: What can Debian do to provide complex applications to its users?

> The software might integrate properly into Debian - and allow > everyone > on the internet to take control of your computer. Which is of course independent of the way you install the software. > An example what "no security support" means in practice: I don't think anyone suggest "no

Re: What can Debian do to provide complex applications to its users?

> What is the user supposed to do when Debian announces that some > software essential for that user is no longer supported in the > stable release the user is using? Again, where does this differ from the user realizing their own self- baked installation cannot be upgraded anymore? > At that

Re: What can Debian do to provide complex applications to its users?

> > Let's agree to disagree. I find it perfectly fine if we told people > > up > > front that we support it as long as upstream has a version that > > works > > with the stable base. They are still better or at least not worse > > of > > with that than with a self-installed one. > > Why? With the

Re: What can Debian do to provide complex applications to its users?

On Mon, Feb 19, 2018 at 09:18:13AM +0100, Philipp Kern wrote: > On 2018-02-18 22:53, Adrian Bunk wrote: > > In the year 2018, any kind of "properly maintain" includes security > > support. > > > > Please elaborate how Debian can provide security support for packages > > like gitlab and all their

Re: What can Debian do to provide complex applications to its users?

On Sun, Feb 18, 2018 at 11:47:52PM +0100, Vincent Bernat wrote: > ❦ 18 février 2018 23:53 +0200, Adrian Bunk  : > > >> Who said we cannot properly maintain this stuff? And where do you > >> think our expected level of quality (whatever that is) will not be > >> reached? > > > >

Re: What can Debian do to provide complex applications to its users?

On Mon, Feb 19, 2018 at 07:03:04PM +0100, Michael Meskes wrote: > > Because eventually a future version will come out that doesn't work > > with > > the stable base, at which point we suddenly stop supporting the > > package. > > That's much worse than just admitting up front that we can't

Re: What can Debian do to provide complex applications to its users?

On Fri, Feb 16, 2018 at 08:18:13PM +0100, Samuel Thibault wrote: > W. Martin Borgert, on ven. 16 févr. 2018 18:59:21 +0100, wrote: >... > > This is very much a web application problem. Other software is > > less affected in my experience. > > Sure. But the current world is more and more focused

Re: What can Debian do to provide complex applications to its users?

On Mon, Feb 19, 2018 at 07:03:04PM +0100, Michael Meskes wrote: Because eventually a future version will come out that doesn't work with the stable base, at which point we suddenly stop supporting the package. That's much worse than just admitting up front that we can't support the package for

Re: What can Debian do to provide complex applications to its users?

> Because eventually a future version will come out that doesn't work > with > the stable base, at which point we suddenly stop supporting the > package. > That's much worse than just admitting up front that we can't support > the > package for the next 4 years. Let's agree to disagree. I find

Re: What can Debian do to provide complex applications to its users?

On വെള്ളി 16 ഫെബ്രുവരി 2018 08:41 വൈകു, Raphael Hertzog wrote: > - while gitlab is packaged in Debian, its packaging took years and the > result is brittle because it can break in many ways whenever one the > dozens of dependencies gets updated to some new upstream version > (BTW

Re: What can Debian do to provide complex applications to its users?

Raphael Hertzog, on lun. 19 févr. 2018 15:52:14 +0100, wrote: > On Mon, 19 Feb 2018, Samuel Thibault wrote: > > But what if that upstream website goes down? We don't have the source > > any more. Better at least keep a copy of the tarball. > > Sure. But as a packager, I don't want to have to do

Re: What can Debian do to provide complex applications to its users?

On Mon, Feb 19, 2018 at 09:52:57AM -0500, Michael Stone wrote: > I'd argue that what people should stop being afraid of is just using a third > party package if that's the optimal solution. +1 -- cheers, Holger signature.asc Description: PGP signature

Re: What can Debian do to provide complex applications to its users?

On Mon, Feb 19, 2018 at 02:51:31PM +0100, Raphael Hertzog wrote: Our core value is here and we can still provide value to our users in the new world that is emerging around us. We should just stop to be afraid of it. I'd argue that what people should stop being afraid of is just using a third

Re: What can Debian do to provide complex applications to its users?

On Mon, 19 Feb 2018, Samuel Thibault wrote: > Raphael Hertzog, on lun. 19 févr. 2018 15:19:59 +0100, wrote: > > On Fri, 16 Feb 2018, Jonathan Carter (highvoltage) wrote: > > > > - we could relax our requirements and have a way to document the > > > > limitations of those packages (wrt our usual

Re: What can Debian do to provide complex applications to its users?

On 19/02/2018 14:28, Samuel Thibault wrote: > Raphael Hertzog, on lun. 19 févr. 2018 15:19:59 +0100, wrote: >> On Fri, 16 Feb 2018, Jonathan Carter (highvoltage) wrote: - we could relax our requirements and have a way to document the limitations of those packages (wrt our usual

Re: What can Debian do to provide complex applications to its users?

On Mon, Feb 19, 2018 at 03:19:59PM +0100, Raphael Hertzog wrote: > Instead of requiring the source to be provided in the source package as a > non-minified file, we could require the packager to document in > debian/README.source where the upstream sources actually are. Ie, it'd be fine to ship

Re: What can Debian do to provide complex applications to its users?

On Mon, 19 Feb 2018, Paul Wise wrote: > On Mon, Feb 19, 2018 at 9:51 PM, Raphael Hertzog wrote: > > > I don't want to lower the quality of what we have built so far, so while > > it's technically possible to build .deb and include a bundle of libraries > > pinned at the correct version, I don't

Re: What can Debian do to provide complex applications to its users?

> I think Debian has never been afraid of tackling hard problems and we > should find a third way. > > I don't want to lower the quality of what we have built so far, so while > it's technically possible to build .deb and include a bundle of libraries > pinned at the correct version, I don't

Re: What can Debian do to provide complex applications to its users?

Raphael Hertzog, on lun. 19 févr. 2018 15:19:59 +0100, wrote: > On Fri, 16 Feb 2018, Jonathan Carter (highvoltage) wrote: > > > - we could relax our requirements and have a way to document the > > > limitations of those packages (wrt our usual policies) > > > > Which requirements are you

Re: What can Debian do to provide complex applications to its users?

On Fri, 16 Feb 2018, Jonathan Carter (highvoltage) wrote: > > - we could relax our requirements and have a way to document the > > limitations of those packages (wrt our usual policies) > > Which requirements are you referring to? If it's relaxing the need for > source for minified javascript,

Re: What can Debian do to provide complex applications to its users?

On Mon, Feb 19, 2018 at 9:51 PM, Raphael Hertzog wrote: > I don't want to lower the quality of what we have built so far, so while > it's technically possible to build .deb and include a bundle of libraries > pinned at the correct version, I don't think that this should allowed into > the main

Re: What can Debian do to provide complex applications to its users?

On Sat, 17 Feb 2018, Russ Allbery wrote: > The reason why Debian in general doesn't like to support vendored source > is because of the security implications: when there's a security > vulnerability in one of the vendored libraries, updating the relevant > packages becomes a nightmare. It's a

Re: What can Debian do to provide complex applications to its users?

Holger wrote: >On Sat, Feb 17, 2018 at 11:14:51PM +, Colin Watson wrote: >> * Constrained to the sort of server-side applications that might >>reasonably be run in a container on their own, just to keep the >>problem size down a bit. > >why this contraint, there are more and more

Re: What can Debian do to provide complex applications to its users?

On Fri, 16 Feb 2018, W. Martin Borgert wrote: > Is was a relevant part of the problem mentioned in Raphaels bug > report: Minified JS libraries without source code. this was one > of the starting points of this discussion. (#890598) It's not "without source code", it's just that the source code

Re: What can Debian do to provide complex applications to its users?

On Mon, Feb 19, 2018 at 10:21:18AM +0100, Michael Meskes wrote: Maybe you answered your question yourself. How about we tie our security support to upstream's? Instead of fixing and backporting ourselves we promise our users that this section of the archive will get upstream's latest fixes even

Re: What can Debian do to provide complex applications to its users?

> > Who said we cannot properly maintain this stuff? And where do you > > think our expected level of quality (whatever that is) will not be > > reached? > > In the year 2018, any kind of "properly maintain" includes security > support. Indeed it does, but not necessarily the way we handle it

Re: What can Debian do to provide complex applications to its users?

On Sat, 17 Feb 2018 at 02:11 Raphael Hertzog wrote: > I'm sure we are missing lots of good applications due to our requirements. > What can we do to avoid this? > [...] > What do you think? Do you have other ideas? Are there other persons > who are annoyed by the current

Re: What can Debian do to provide complex applications to its users?

On 2018-02-18 22:53, Adrian Bunk wrote: In the year 2018, any kind of "properly maintain" includes security support. Please elaborate how Debian can provide security support for packages like gitlab and all their dependencies in buster until mid-2022. If Debian cannot provide security support

Re: What can Debian do to provide complex applications to its users?

On 18 February 2018 at 12:14, Colin Watson wrote: ... > * Maybe truncate the frozen dependency tree at C extensions, in order >that we can make sure those are built for all architectures, so you'd >still have to care about compatibility with those. It'd be a much >

Re: What can Debian do to provide complex applications to its users?

❦ 18 février 2018 23:53 +0200, Adrian Bunk  : >> Who said we cannot properly maintain this stuff? And where do you >> think our expected level of quality (whatever that is) will not be >> reached? > > In the year 2018, any kind of "properly maintain" includes security support. >

Re: What can Debian do to provide complex applications to its users?

On Fri, Feb 16, 2018 at 06:12:04PM +0100, Michael Meskes wrote: > On Fri, Feb 16, 2018 at 11:12:51AM -0500, Michael Stone wrote: > > On Fri, Feb 16, 2018 at 04:58:04PM +0100, Michael Meskes wrote: > > > I know that this does create some problems for us, e.g. on the security > > > side, but the

Re: What can Debian do to provide complex applications to its users?

On Sun, Feb 18, 2018 at 12:48:49PM +, Holger Levsen wrote: > On Sat, Feb 17, 2018 at 11:14:51PM +, Colin Watson wrote: > > * Constrained to the sort of server-side applications that might > >reasonably be run in a container on their own, just to keep the > >problem size down a

Re: What can Debian do to provide complex applications to its users?

On Sat, Feb 17, 2018 at 11:14:51PM +, Colin Watson wrote: > * Constrained to the sort of server-side applications that might >reasonably be run in a container on their own, just to keep the >problem size down a bit. why this contraint, there are more and more desktop application

Re: What can Debian do to provide complex applications to its users?

> Michael Meskes dijo [Sat, Feb 17, 2018 at 01:57:53PM +0100]: > > I disagree, it is not maintainable source code, yes, but source > > code > > nonetheless. According to wikipedia source code is: > > ... > > Some others have answered to this claim. As I understand it, source > code should ideally

Re: What can Debian do to provide complex applications to its users?

On Sun, Feb 18, 2018 at 2:59 AM, Thorsten Alteholz wrote: > Other javascript libraries like libjs-* and *.js even don't get a CVE. So > either they are secure or nobody cares. We also miss out on some JS vulnerabilities because NodeSecurity don't systematically participate in the CVE system and

Re: What can Debian do to provide complex applications to its users?

On Sat, Feb 17, 2018 at 9:20 PM, Paul Wise wrote: > It may be code but it is definitely not source in the sense of DFSG > item 2 or the GPL. Also, non-minified JavaScript can also not be source code, for example in the case it was generated from CoffeeScript or some other language. -- bye,

回覆： What can Debian do to provide complex applications to its users?

  原始訊息   寄件者： Colin Watson 已傳送： Sonntag, 18. Februar 2018 10:15 收件者： debian-devel@lists.debian.org 主旨： Re: What can Debian do to provide complex applications to its users? On Sat, Feb 17, 2018 at 07:22:05PM +0100, Tollef Fog Heen wrote: > I think there's at least two types of vendoring you

Re: What can Debian do to provide complex applications to its users?

On Sat, Feb 17, 2018 at 07:22:05PM +0100, Tollef Fog Heen wrote: > I think there's at least two types of vendoring you're referring to > here, and they're substantially different. > > One is how Go currently does (but my understanding is that this is > changing in newer versions). Here, the

Re: What can Debian do to provide complex applications to its users?

On Sat, Feb 17, 2018 at 10:32:09AM -0700, Sean Whitton wrote: > > So if you are claiming we have no manpower that's pretty much our own > > fault since we do not actively care. There are ways to attract gifted > > and interested people if we would only try. > > I was making a more specific claim

Re: What can Debian do to provide complex applications to its users?

On Sat, Feb 17, 2018 at 08:42:44PM +0100, Adam Borowski wrote: > Binary code that has debug symbols isn't that bad. I don't think you can > have those for minified JS. JavaScript source maps have been around for a few years and AIUI are pretty much exactly that. -- Colin Watson

Re: What can Debian do to provide complex applications to its users?

Michael Meskes dijo [Sat, Feb 17, 2018 at 01:57:53PM +0100]: > > Minification is quite comparable to compilation. I will give you some > > examples from my frustration with Drupal8 in this answer. This can no > > longer be seen as source code: > > ... > > I disagree, it is not maintainable source

  1   2   >