Hi, I'm the Ubuntu "maintainer" of the haskell toolchain. Most of my work is basically requesting syncs, or in rarer cases picking up a patch from Debian's BTS in advance for a haskell package.
Am Montag 19 Mai 2008 18:54:39 schrieb Ian Lynagh: > On Mon, May 19, 2008 at 02:41:57PM +0200, Michal Suchanek wrote: > > Is the problem with source dependencies resolved already? > > > > Last time I tried to build something the build dependencies were exact > > (= something) which is very bad for users who try to build anything, > > and I read some discussion earlier on this list where it was pointed > > out that this is unacceptable for security as well. > > No-one has yet convinced me that any other scheme would be better. > > Exact dependencies make security fixes much easier to get right, as you > don't have to worry about building against an older version of a package > and getting the security bug cross-module-inlined. Hm... these versions get calculated at build-time, right? So I assume, that if a package gets binNMU'd, the binary versions would be in there as [build-]dependencies? For Ubuntu, this would cause some trouble to go more out of sync with unstable, since we cannot do binNMUs and must do source uploads instead. However I currently don't see a better way at the moment. Finally having tight dependencies does help Ubuntu a great way (as it happened in the past that rdepends of haskell libraries in Ubuntu were not rebuilt when these should have been). Cheers, Stefan.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ debian-haskell mailing list [email protected] http://urchin.earth.li/mailman/listinfo/debian-haskell
