mozilla dependencies and versioned conflicts

Mike Hommey mh@glandium.org
Sun, 22 May 2005 10:39:50 +0200


On Sun, May 22, 2005 at 01:16:50AM -0700, Steve Langasek <vorlon@debian.org> wrote:
> Hi folks,
> 
> It looks like the security-fix-only new upstream version of mozilla, 1.7.8,
> has blocked again on kazehakase and enigmail (and probably on locale
> packages, but I haven't gotten there yet) because the sarge versions of
> these packages conflict with mozilla-browser (>= 2:1.7.8).
> 
> The solution offered by kazehakase in unstable is a new upstream version.
> 
> $ debdiff k/kazehakase/kazehakase_0.2.{6-2,7-1}.dsc | wc -l
>   25040
> $ 
> 
> And for enigmail, there currently is no solution available, other than
> removing the package from sarge.
> 
> Remember, mozilla-browser 1.7.8 was a *security fix*.  There should not be
> any changes in that upload which affect kazehakase or enigmail, AFAICT, yet
> the way the package relationships are structured leaves no option other
> than a re-upload of all dependent packages whenever a new upstream version
> comes out.  The release team has been doing the necessary fiddling to get
> these packages into testing every time, but now that we're in a freeze it's
> particularly ugly to do this.
> 
> I've approved kazehakase 0.2.7-1 to go into sarge, but I'm not happy about
> doing so.  There really must be a better answer for mozilla dependency
> handling, mustn't there?  What can we do to track the actual exported
> interfaces required by these packages, so that this isn't an issue again for
> etch?

Note kazehakase 0.2.7-1 still conflicts with mozilla-browser 1.7.8
(looking at its control file)...

The issue is not really a mozilla issue, only an indirect one.

Usually, minor version updates of mozilla do break stuff, so packages
built against mozilla added conflicts so that they're not stuffed by
mozilla next upload.

This time, the version update is supposed to be security only, and not
to break stuff. Thus, theorically, just changing the Conflicts: in the
control file is enough to have these programs depending on
mozilla-browser be able to use the security fix release.

Note that I didn't follow 1.7.8 release, so I'm just assuming from
theory, maybe 1.7.8 broke stuff...

Cheers

Mike