On Tue, Nov 3, 2009 at 12:03 PM, Henrik Hedberg <henrik.hedb...@innologies.fi> wrote: > Anderson Lizardo wrote: > >> But the PyMaemo team is still responsible for providing upgrades and >> fixes for these packages through the extras-devel/extras-testing >> repositories, and the user applications that use packages like >> python-dbus, when promoted, will automatically promote the >> dependencies. It *seems* to be the correct way of handling the >> promotion for packages not under user/* sections, like all PyMaemo >> components. > > Why is that? > > You do not feel scary that you cannot push, for example, a security fix > for your components? Let's say that I am using one application (user/* > package) that depends on python. For some reason it is not maintained > anymore, and thus not updated. How do I get new versions of python > libraries?
I can understand your concern regarding not getting e.g. a security fix for a Python component (or any other librart FWIW) ASAP, but let's look the other way: How can we guarantee that this new fixed package does not introduce a regression that breaks user applications in extras? I think doing QA for a library is too difficult, because there is no user interaction to test it. So the only way to do it is to test the applications that depend on it. The current approach (automatically promoting dependencies of packages that passed QA) does something like that, the problem is that it does not avoid the case where some dependency works for application A, but breaks application B, but is still promoted to extras because application A was promoted (thus breaking B). > Another thing to consider is that should _every_ application (user/* > package) that depends on python be updated to just have a new version number > in their dependencies when a new version of python libraries is released? > (May be not, if they are working with the earlier version too, but what > about those security fixes, for example.) There will be a lot of unnecessary > megabytes to download just for that. Certainly that's not the way. I think the package does not need to be updated just to pull the new dependency version, as long as the current version works for this package. > For Microfeed backend (libraries and applications that are not visible to > user directly) I decided to create one user/* package that depends on the > latest library packages. Applications using the backend are encouraged to > depend on that package. When a library, for example, is updated, there will > be a new version of the user/* package that pulls the library package. > > How do you see that option? PyMaemo already has a similar meta-package (called maemo-python-device-env), but it was not meant for this purpose. I think it might work for security critical fixes or other updates that require being available on extras ASAP, but in my opinion this is just exploiting a limitation that I explained earlier (and thus might break other packages already in extras that depend on these new versions) My two cents, -- Anderson Lizardo OpenBossa Labs - INdT Manaus - Brazil _______________________________________________ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
