[php-maint] Debian PHP 5 release schedule
sean finney
seanius at debian.org
Sun Aug 12 02:42:38 UTC 2007
hi andi/ralph,
On Thursday 09 August 2007 01:03:12 pm Andi Gutmans wrote:
> Pleased to meet you and the rest of the Debian team.
> Can you give us some more information on how you manage patch releases?
when new releases of php hit the streets, usually it goes into the unstable
branch almost immediately. from our end it consists of adding an entry in
the "debian changelog" to match the latest version and perhaps
massaging/removing any of the debian-specific patches from the previous
release. for example, we might have a patch taken from a cvs snapshot which
is later incorporated in the next php release.
for stable, we have a very conservative approach for managing updates. this
isn't a debian/php specific practice, but rather how debian works as a whole.
no source code changes to stable are allowed, unless the changes are very
specifically targetted at fixing security (i.e. MOPB or other issues tagged
with CVE numbers) or other severe issues (like that nasty single quoting bug
introduced in one of the previous security fixes). so, it is almost unheard
of to take a new release of software (i.e. php 5.2.3) and directly push it in
to the stable release.
> Have you backported security patches which came after PHP 5.2.0? We have
yes. here's the "debian changelog" for the stable version of php5, so you can
get an idea:
http://svn.debian.org/wsvn/pkg-php/php5/branches/etch/debian/changelog?op=file&rev=0&sc=0
> released three mini releases since and are just about to do a PHP 5.2.4
> release. Some of the patches are critical.
> Is your policy also against moving up on mini-releases? (which are
> binary compatible releases).
yes. the only way to ensure a stable release on the scale of debian is to
specifically disallow all but a few approved changes. this is what gives
debian both its excellent reputation for stability and reliability, as well
as its not-so-excellent reputation for "lagging behind" in its stable
releases.
in the case of php it really sucks for me as the maintainer, because to be
honest php/zend has not always been completely forthcoming on security issues
in the past, and the existing infrastructure at php.net doesn't really work
well with how we manage releases. recently things have improved a bit, but
still there's a lot of dirty work that needs to be done by someone on our
team even for these mini-releases.
so, if you know of any critical patches in 5.2.4 that may be relevant to
debian's 5.2.0 release, i'm all ears :)
sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20070811/32d245f5/attachment.pgp
More information about the pkg-php-maint
mailing list