Am Donnerstag, den 15.05.2008, 17:33 +0200 schrieb Thijs Kinkhorst: > On Thursday 15 May 2008 16:47, Martin Uecker wrote: > > > You mean less likely than once in 15 years? We're open to your > > > suggestions. > > > > Something as bad as this might be rare, still, if something can be > > improved, it should. > > > > Upstream complained about the extensive Debian patching. I think this > > is a valid criticism. > > Of course things can be improved, probably always. I don't think that just > one > incident means that nothing must be changed, but I also contest that this > incident in and of itself requires changes to be made. One incident just > doesn't tell us much about the quality of Debian patches in general, either > way.
I don't question the quality of Debian patches in general. But I still think that something can be learned from this single incident. The security advantage of open source software is said to be: "Many Eyes Make All Bugs Shallow!" This of course can not work if every distribution basically creates its own branch. > That's also what I dislike in Ben Laurie's blog post: he bases his conclusion > on just this thing that indeed went horribly wrong, but is far from examplary > for all patching that Debian, or distributions in general, do. I don't think > he realises that far from all upstreams are as ideal as he seems to think. I am missing some self-criticism too. The use of uninitialized memory should have been fixed upstream long ago. (And this is *not* a rare case where the use of uninitialized memory is ok.) > I welcome change and review of our processes, but taking one extreme incident > as the base on which to draw conclusions seems not the wise thing to do. Why not? A plane crash is a very rare incident. Still every single crash is investigated to make recommendations for their future avoidance. > If you're interested in for example changing the level to which software is > patched in Debian, I suggest to start with a representative review of what > gets patched and why it's done. That would give more base to see whether the > extensive patching is indeed excessive. I do not have time to do statistics, but from looking at a lot of packages over the years I know that their a many changes in Debian packages which are not related to packaging. Besides security fixes or other really important fixes which have to go in very fast, I do not see no reason for all this Debian specific changes. Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]