[php-maint] Debian PHP 5 release schedule

Sun Aug 12 02:42:38 UTC 2007

hi andi/ralph,

On Thursday 09 August 2007 01:03:12 pm Andi Gutmans wrote:
> Pleased to meet you and the rest of the Debian team.
> Can you give us some more information on how you manage patch releases?

when new releases of php hit the streets, usually it goes into the unstable 
branch almost immediately.  from our end it consists of adding an entry in 
the "debian changelog" to match the latest version and perhaps 
massaging/removing any of the debian-specific patches from the previous 
release.  for example, we might have a patch taken from a cvs snapshot which 
is later incorporated in the next php release.

for stable, we have a very conservative approach for managing updates.  this 
isn't a debian/php specific practice, but rather how debian works as a whole.  
no source code changes to stable are allowed, unless the changes are very 
specifically targetted at fixing security (i.e. MOPB or other issues tagged 
with CVE numbers) or other severe issues (like that nasty single quoting bug 
introduced in one of the previous security fixes).  so, it is almost unheard 
of to take a new release of software (i.e. php 5.2.3) and directly push it in 
to the stable release.  

> Have you backported security patches which came after PHP 5.2.0? We have

yes. here's the "debian changelog" for the stable version of php5, so you can 
get an idea:

http://svn.debian.org/wsvn/pkg-php/php5/branches/etch/debian/changelog?op=file&rev=0&sc=0

> released three mini releases since and are just about to do a PHP 5.2.4
> release. Some of the patches are critical.
> Is your policy also against moving up on mini-releases? (which are
> binary compatible releases).

yes.  the only way to ensure a stable release on the scale of debian is to 
specifically disallow all but a few approved changes.  this is what gives 
debian both its excellent reputation for stability and reliability, as well 
as its not-so-excellent reputation for "lagging behind" in its stable 
releases.

in the case of php it really sucks for me as the maintainer, because to be 
honest php/zend has not always been completely forthcoming on security issues 
in the past, and the existing infrastructure at php.net doesn't really work 
well with how we manage releases.  recently things have improved a bit, but 
still there's a lot of dirty work that needs to be done by someone on our 
team even for these mini-releases.

so, if you know of any critical patches in 5.2.4 that may be relevant to 
debian's 5.2.0 release, i'm all ears :)

	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20070811/32d245f5/attachment.pgp 