Plan for Today's (20070625) Release Engineering meeting

Tue Jun 26 08:47:52 UTC 2007

On Tue, Jun 26, 2007 at 12:44:42AM -0400, Matthias Clasen wrote:
> On Tue, 2007-06-26 at 03:00 +0200, Axel Thimm wrote:
> > On Mon, Jun 25, 2007 at 08:36:00PM -0400, Jesse Keating wrote:
> > > On Monday 25 June 2007 20:31:51 Axel Thimm wrote:
> > > > If for example glibc has been updated yum update foo will not pull it
> > > > in. Try it.
> > > 
> > > If it has been updated and the new update of foo will not run
> > > without the newer glibc and there are no rpm requirements on said
> > > newer glibc libraries, we've got much bigger issues.
> > 
> > True, but that's everyday's packaging business and is called "lack of
> > forward compatibiliy in libraries". Actually that was the reason for
> > having to build against only securty updates onstead of the whole
> > update repo given in the trimmed away quote of mine.
> > 
> > Now to get to real example: Replace glibc with glib/gtk and friends,
> > that keep the same soname since Moses' birth and add symbols on the
> > row. You can build something on F7's glib and from a packaging POV it
> > will still fit into FC5 or FC4, but when the app runs it will break
> > with missing g* calls.
> 
> As far as "glib, gtk and friends" are concerned, these do not at 
> any symbols in a stable branch, and Fedora release stay on a stable
> branch, so your snide remarks are uncalled for, as far as these are
> concerned.

I'm sorry, but history says otherwise. Symbols have been added to
*stable* releases, and many application were breaking when used on a
previous *stable* release.

I know that because I had been offering newer *stable*
glib/gtk/atk/pango bits at ATrpms at about FC4 for an application that
needed a fresher set, and users horrified by the "core updates bad"
myth only used the applications, which would agree to install
rpm-wise, but would spit the errors on the users' faces. I think one
of the apps that was dying that way was synaptic.

So that would had exactly happened if say synaptic had a security
update built against a later "stable" glib/gtk/... set of packages and
users trying to install the security update of synaptic on a
non-updated (or updated only for security updates) system.

So this is far from being an academic example.

> And talking about F7 packages on FC5 or FC4 is really detracting
> from the topic here, which is security updates within a single
> Fedora release.

You missed the point: I was just illustrating that rpm's checking is
not that tight (it would had to go down to the symbol table, something
that has often been considered but due to blowing up the database
always abandoned) and will allow you to do lots of crazy things if the
library decides to never bump its soname. I'm not suggesting to
actually do that in any sense ...
-- 
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-maintainers/attachments/20070626/0fdb3416/attachment.sig>