Re: [gpsd-users] GPSD on Debian 10 (buster): allowing other hosts to access gpsd

[Bernd Zeimetz]

Hi Gary,

to summarize everything in one answer:

I know that you are not doing point-releases.
Which makes life for (almost) all distributions really hard.
A distribution can't just upload a new packages, neither to the current
testing/development branch, nor to stable releases.

The thing that needs to happen first is that all reverse dependencies
need to build fine against it.
Which usually just does not happen. If you break the API in a way that
reverse dependencies don't build anymore, it takes several weeks to
months to fix those. For example - you can't just upload a new KDE
without coordination.

To put it into hours, if this happens, its a 20-40h maintainer work just
to get everything in a shape to accept the new gpsd release.
Then the upload needs to be coordinated.
Uploading gpsd requires several big and deeply integrated packages to be
rebuilt. That alone is not the problem, it happens automatically. But we
also have other transitions that trigger a lot of rebuilds, so things
need to be coordinated. Which takes some more time and ressources.
Then gpsd is in a development release.


For stable releases, this is impossible.
We can't rebuild the whole archive. All we can do is to fix bugs without
breaking other things. So..

> Oh, wow, did you really just say that?  I happen to beleive all bugs,
> of all severity, are important.
... yes, all bugs are important, but we can only port fixes easily, that
don't break the ABI/API. There is no way to backport every single
bugfix, so we have to stick with the really important ones. And we
basically do this based on CVEs. Or if upstreams tell us, that something
should be fixed. We can fix all issues in point-releases, if we know
about them and if the fix in backportable.

So basically *you* need to tell the maintainers which issues need to be
backported, and which ones are bad enough that they need a CVE or at
least a security upload.
Also: if a patch can't be backported due to abi/api breakage, a new one
needs to be developed.


This is something that is done by all sane upstreams, and actually I'd
expect that from gpsd, too, as it is a rather important piece of software.

So basically we have three options:

- maintainers do the point release - without deep code knowledge and
knowledge about which bug will fix what, this won't be perfect. We like
to stick to CVEs and to everything UPSTREAM tells us to fix.

- you do proper point releases. Bug fixes only, no abi/api breakage. We
take them, ship them, easy to do.

- we remove gpsd from distributions...


What do you like?


Bernd


-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

signature.asc
Description: OpenPGP digital signature