UVFManagementInMOTU

UVF is difficult to manage for MOTUs

I find UpstreamVersionFreeze incredibly frustrating when dealing with Universe packages. There are several issues, sometimes contradictory, about this.

"We can't relax UVF rules for universe because we will have to support Dapper for 3 years."

Dapper will be supported for 3 years (source).

  • Yes, but universe is not and will not be supported. it comes with no guarantee of security fixes and support. (ubuntu/components)

  • main is supposed to be self-contained (universe is not enabled by default), so chances are low that broken packages in universe will break main packages.

  • Our quality standard for universe is already quite low, since our goal is to have as many packages in as possible (for example, we regularly import packages from apt-get.org and other sources). Also, we prefer to have unmaintained packages in universe rather than no package at all.

MOTUs lacks a lot of resources for this task

  • As of 2006-02-08, more than 1100 source packages are newer in Debian than in Ubuntu. (source)

  • MOTUs are all volunteers.
  • Micro-managing is boring, since it's only about trying to catch up with Debian. We might lose more MOTUs (and not get others in).

Risks

  • A lot of people need universe packages for their daily tasks.

    • We might have broken packages in universe, and we might not know. People will only notice after the release, will complain, and we probably won't do anything about this (see this bug for example). => Bad press, especially if Debian had the package fixed a long time ago.

    • Security problems : universe packages might introduce security problems, and we might not know about it. Do we have a way to list universe packages installed on a system ? (I don't think so) => Very bad press if a server is rooted because of universe packages.

    • Some packages might be outdated in Dapper. Some packages are very important for some people. It might make Dapper unsuitable for them. => Bad press, especially if the package is up to date in Debian.

  • The general opinion of our users is "Even if universe/multiverse is not officially supported, a lot of developers are working to support in unofficially, and it works quite well." With my insider point of view, I don't think it's true :
    • I'm in MOTURuby, but I have never looked at the status of Ruby in breezy for example. There might be some security flaws in some packages, but I wouldn't know about it.
    • There are not so many active MOTUs.

Proposal

  • Improve the sync/merge process to make it more clever and continue to use it even after UVF.

  • Based on more throughout automatic testing of candidate packages.

  • Example rule of acceptance (only meant to be an example of what could be possible)
    • The updated package builds on dapper (easy to test using pbuilder)
    • The updated package installs on dapper (easy to test using piuparts or an home-made script)

    • The updated package has been in Debian sid for n days, without any severity >= normal bug opened against it

    • If the package provides some tests, they all pass when running on dapper.

LucasNussbaum/UVFManagementInMOTU (last edited 2008-08-06 16:33:38 by localhost)