[maemo-developers] Promoting packages not under user/* sections, e.g. libraries (was: Re: Autobuilder repository priority ?)

From: Anderson Lizardo anderson.lizardo at openbossa.org
Date: Tue Nov 3 18:38:05 EET 2009
On Tue, Nov 3, 2009 at 12:03 PM, Henrik Hedberg
<henrik.hedberg at innologies.fi> wrote:
> Anderson Lizardo wrote:
>> But the PyMaemo team is still responsible for providing upgrades and
>> fixes for these packages through the extras-devel/extras-testing
>> repositories, and the user applications that use packages like
>> python-dbus, when promoted, will automatically promote the
>> dependencies. It *seems* to be the correct way of handling the
>> promotion for packages not under user/* sections, like all PyMaemo
>> components.
>   Why is that?
>   You do not feel scary that you cannot push, for example, a security fix
> for your components? Let's say that I am using one application (user/*
> package) that depends on python. For some reason it is not maintained
> anymore, and thus not updated. How do I get new versions of python
> libraries?

I can understand your concern regarding not getting e.g. a security
fix for a Python component (or any other librart FWIW) ASAP, but let's
look the other way:

How can we guarantee that this new fixed package does not introduce a
regression that breaks user applications in extras? I think doing QA
for a library is too difficult, because there is no user interaction
to test it. So the only way to do it is to test the applications that
depend on it.

The current approach (automatically promoting dependencies of packages
that passed QA) does something like that, the problem is that it does
not avoid the case where some dependency works for application A, but
breaks application B, but is still promoted to extras because
application A was promoted (thus breaking B).

>   Another thing to consider is that should _every_ application (user/*
> package) that depends on python be updated to just have a new version number
> in their dependencies when a new version of python libraries is released?
> (May be not, if they are working with the earlier version too, but what
> about those security fixes, for example.) There will be a lot of unnecessary
> megabytes to download just for that.

Certainly that's not the way. I think the package does not need to be
updated just to pull the new dependency version, as long as the
current version works for this package.

>   For Microfeed backend (libraries and applications that are not visible to
> user directly) I decided to create one user/* package that depends on the
> latest library packages. Applications using the backend are encouraged to
> depend on that package. When a library, for example, is updated, there will
> be a new version of the user/* package that pulls the library package.
>   How do you see that option?

PyMaemo already has a similar meta-package (called
maemo-python-device-env), but it was not meant for this purpose. I
think it might work for security critical fixes or other updates that
require being available on extras ASAP, but in my opinion this is just
exploiting a limitation that I explained earlier (and thus might break
other packages already in extras that depend on these new versions)

My two cents,
Anderson Lizardo
OpenBossa Labs - INdT
Manaus - Brazil
More information about the maemo-developers mailing list