On Thu, Feb 11, 2016 at 03:59:19PM +0300, Dmitry Shachnev wrote:
> On Thu, Feb 11, 2016 at 12:36:27PM +0100, Matthias Klose wrote:
> > So an existing app package gains a new (universe) dependency on libfoo-dev.
> > Builds fine, maybe migrates, and then image builds fail because of the
> > libfoo1 component mismatch. Now you can either pre-promote the libfoo, or
> > re-upload app without the dependency (if that works). This probably will
> > lead to more pre-promotions, and looking at the current back-log of security
> > related MIRs the time between build and promotion will increase, making it
> > probably harder to revert such a change.
>
> Maybe we can teach Britney to not migrate the packages to release pocket if
> they are uninstallable within their component?
I've looked at this before, but I think it's impractically complicated,
unfortunately; britney's not really designed for this kind of
multi-layered check.
> > I'm a bit worried that we'll then have to chase people to subscribe teams to
> > the new packages, write the MIR, ... We'll save some time by not processing
> > B-D only MIRs, but I think for the remaining MIRs we'll have to spend more
> > time.
>
> But on the other hand we'll have less MIRs for the build-dep-only stuff, which
> is quite common (i.e. the JS minifiers or documentation generators).
Yeah, there's definitely a trade-off here but I would disagree with
Matthias's assessment; I think it's likely to be for the better. One
way to look at this is that having less noise from build-only packages
should help to reduce the MIR backlog and make it easier to have timely
processing.
--
Colin Watson [cjwatson@ubuntu.com]
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
