Bug#814479: libbusiness-creditcard-perl: New upstream version 0.35 (including new MasterCard ranges)

gregor herrmann gregoa at debian.org
Tue Jun 7 09:58:19 UTC 2016 

On Mon, 06 Jun 2016 23:02:32 -0700, Ivan Kohler wrote:

(I've unarchived the bug and bounced your mail to it.)

> On Sat, Feb 20, 2016 at 09:04:51PM +0100, gregor herrmann wrote:
> > > I recommend also uploading this verison to wheezy-updates and jessie-updates
> > > (aka the artist formerly known as "volatile").
> > We can't upload new versions to (old)stable;
> This isn't a request to upload new versions to (old)stable.  This is a 
> request to upload new versions to proposed-updates / stable-updates, 
> formerly known as "volatile".  (ref https://wiki.debian.org/StableUpdates 
> and https://lists.debian.org/debian-devel-announce/2011/03/msg00010.html)

I think that you think (:)) that stable-updates is a separate
queue/suite/... from stable-proposed-updates but that's not the case
in my understanding.

Quoting https://wiki.debian.org/StableUpdates :

  Some packages from proposed-updates may also be made available via
  the stable-updates mechanism. ... All packages from stable-updates
  will be included in point releases.

Quoting https://lists.debian.org/debian-devel-announce/2011/03/msg00010.html :

  The suite [stable-updates] contains a subset of the packages
  available via the "proposed-updates" suite which many users may
  wish to be able to install without having to cherry-pick them or
  wait for the next point release. Such updates will be uploaded to
  "proposed-updates" as normal, and then optionally pushed to
  "stable-updates" by the SRMs.

Quoting adsb from the release team in his mail to #826563 from today:

  ... one never uploads to stable-updates - one uploads to stable,
  via p-u, and we cherry-pick uploads from there sideways into
  -updates at our discretion once they're ready.

Or in my own words (someone please correct me if I'm wrong):

There's only one upload queue, stable-proposed-updates(-new).
Uploading there is only allowed after approval from the release team.
When a package lands there, the release team has to manually accept
or reject it. Approved updates will end up in the next point release.

And, optionally, the release team can also copy the package to
stable-updates earlier in order to make it available before the next
point release.

In other words, there are no uploads to only stable-updates, just to
stable(-proposed-updates) which may or may not also be copied over to
stable-updates. That's why I'm talking about "uploading to stable".
 
> > we'd need a minimal diff
> > against the versions in wheezy/jessie (0.31 and 0.33), then we can
> > talk to the release team about them accepting uploads.
> I do not believe a "minimal diff" is necessary for -updates.  This is not 
> a security backport.  This is an update for software which requires 
> alignment to the real work to remain relevant and useful.

Sure but the release team has to inspect the changes, that's why they
prefer minimal diffs with only the necessary changes, and also to
avoid accidental breakage.

Cf. https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable

    Changing anything else in the package that isn't important is
    discouraged, because even trivial fixes can cause bugs later on.
 
> stable-updates carries software which requires updates over time to 
> remain relevant, such as spam filters, virus scanners, timezone updates, 
> web scrapers (i.e. youtube video downloaders) and similar things.  

Yes, temporarily, before they all end up in the next point release as
well. Cf. the recent announcement:
https://lists.debian.org/debian-announce/2016/msg00007.html

> We 
> don't backport functionality to old versions of ClamAV or SpamAssassin - 
> this would seem to be the same thing.

That's true for some packages where backporting fixes is non-trivial,
and AFAIK noone is happy with that. In most cases the changes are
small and targetted.
 
> The sole purpose of libbusiness-creditcard-perl is to validate and 
> identify credit cards.  Credit card issues are updating these rules and 
> issuing new credit cards with new number ranges without regard to our 
> release cycles.  We should be able to update this module through -updates 
> like we do ClamAV, Spamassassin, timezones and so forth.

I totally agree that an update of libbusiness-creditcard-perl in
jessie{,-updates} (wheezy is gone by now anyway) makes sense, I just
want to prepare a proposal for the release team that doesn't make
them cringe :) That's why I'd like to strip down
https://metacpan.org/diff/file?target=IVAN%2FBusiness-CreditCard-0.35%2F&source=IVAN%2FBusiness-CreditCard-0.33%2F
to the necessary part(s) before contacting them.


Cheers,
gregor

-- 
 .''`.  Homepage https://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer -  https://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   BOFH excuse #307:  emissions from GSM-phones

More information about the pkg-perl-maintainers mailing list