[Pkg-ia32-libs-maintainers] ia32-lib plans and security support for same

Tue Apr 29 21:48:48 UTC 2008

On Tue, Apr 29, 2008 at 11:13:47PM +0200, Florian Weimer wrote:
> * Goswin von Brederlow:
> 
> > Joerg Jaspert <ftpmaster at debian.org> writes:
> >
> >> - The included complete copy of the source *and* the existing i386
> >>   binary is something that is really bad. Yes, we get in trouble if we
> >>   don't include the source for packages on the archive, but it is still
> >>   a *very* strong point against this packaging scheme.
> >>   We (as in ftp-team), but even more the security team are against
> >>   them.
> 
> I think from a security support POV, we can get away with it if the
> .debs are not actually built from the included source code.
> 
> > I hope you feel that this will simplify matters not just for us but
> > also for you and will allow this package split continue.
> 
> I simply lack the necessary network bandwidth to keep the current
> ia32-libs updated.  But for someone with good connectivity, it should be
> relatively straightforward to build periodic roll-up packages.  We
> should figure out why this hasn't happened.  The fundamental problem
> probably lies somewhere else.

I actually looked into trying to do ia32-libs updates for etch
recently, but didn't know how to proceed. The source code build failed
for me with conflicting build-deps. (Bdale gave me some pointers
but I hadn't gotten around to following them.)

I have good connectivity and would be willing to help here if shown
how to do it.

> (Note that you need to deal with security updates *and*
> stable-proposed-updates, BTW.)

An update in the next etch point release would be good to see..

> And what about downloader that build .debs locally, from the i386 .debs?
> Has this approach been considered?  This would sidestep the issue of
> up-to-dateness.
> 

-- 
dann frazier