Bug#814479: libbusiness-creditcard-perl: New upstream version 0.35 (including new MasterCard ranges)
gregor herrmann
gregoa at debian.org
Tue Jun 7 20:18:08 UTC 2016
On Tue, 07 Jun 2016 12:12:42 -0700, Ivan Kohler wrote:
> The crucial point is that _we do not backport changes and create new,
> un-QAed forks for any of this other "volatile" software like spam/virus
> scanners and video downloads, so it seems to me that asking for it in the
> case of libbusiness-creditcard-perl is out-of-line with our practices and
> procedures for comparable things. We pull in new versions of e.g.
> spamassassin and ClamAV for the exact same reasons as this package needs
> to be updated.
That's correct for some packages but not for others. E.g.
libdatetime-timezone-perl only updates the actual timezone data but
doesn't use new upstream releases with code changes.
> Specifially in regard to the desire to "avoid accidental breakage": It
> seems that using the upstream 0.35 version, which has been QAed with my
> company's production customers and by CPAN users for half a year, is the
> more conservative, careful action and is the least likely to break
> anything. Backporting updates to an old version and creating a new
> Debian-specific fork, which will be unable to get any kind of comparable
> real-world testing, seems to be the riskier action that is more likely to
> cause breakage.
Right, that's the valid counter-argument. And uploads to stable-* are
always about finding a balance.
> > That's true for some packages where backporting fixes is non-trivial,
> > and AFAIK noone is happy with that. In most cases the changes are
> > small and targetted.
[..]
> WRT your assertion that noone is happy with that, FWIW, I would disagree.
> I'm very happy that my mail server gets updated versions of spamassassin
> and ClamAV. I'm glad we don't use our limited volunteer resources trying
> to try to support older, less-functional, non-QAed/patched versions of
> those packages on my stable machines like they were stable security
> updates.
That's of course a valid point as well.
> > I totally agree that an update of libbusiness-creditcard-perl in
> > jessie{,-updates} (wheezy is gone by now anyway) makes sense, I just
> > want to prepare a proposal for the release team that doesn't make
> > them cringe :) That's why I'd like to strip down
> > https://metacpan.org/diff/file?target=IVAN%2FBusiness-CreditCard-0.35%2F&source=IVAN%2FBusiness-CreditCard-0.33%2F
> > to the necessary part(s) before contacting them.
> As the sole purpose of the module is to validate and identify credit
> cards, few (if any) would even be omitted. Since 0.33, the version in
> jessie, _every change_ has been for the purpose of staying up-to-date
> with real world requirements such as recognizing new cards or processing
> agreements. Here is the relevant section of the Changes file.
[..]
> What would you omit in a backport for jessie? I think everything needs
> to be included, they're all updates to keep up with the real world.
I absolutely agree that every functional change needs to be included;
but not the noise from build tools and unrelated changes in the
documentation.
> As with all of us in the volunteer effort, I only have a limited amount
> of time and motivation to I only have so much time and effort to devote
> to Debian work. In this case, I don't personally anticipate motivating
> for more work creating a Debian-specific, un-QAed backport in order to
> keep release managers from "cringing".
I didn't mean to imply that it's you who has to make the changes :)
> For the sake of our users and free softwre (you know, our priorities), I
> would respectfully suggest the release managers should "cringe" and deal
> with this course of action as the least risky of the less-than-ideal
> alternatives, with more than ample precedent (e.g. spamassassin, ClamAV,
> etc.).
If I'm to one who talks to them I'd prefer to prepare the potential
upload in a way that I know makes it easy for them to review.
And to speed this all up a bit :) I've pushed a jessie branch to our
git repo:
https://anonscm.debian.org/cgit/pkg-perl/packages/libbusiness-creditcard-perl.git/log/?h=jessie
where I left out the non-functional changes and split the rest into
three logical patches.
What do you think? If this looks okay to you I'm happy to proceed.
> FWIW, we are just a few months away from the October 2016 "deadline" when
> MasterCard is expected to start issuing cards with the new ranges. If we
> have not figured out how to accept these changes by then, our users could
> start seeing their web sites refuse to accept real-world cards and lose
> sales and money. That would be a shame.
Thanks for pointing out this deadline; I'm confident we have
everything sorted by then :)
Cheers,
gregor
--
.''`. Homepage https://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
: :' : Debian GNU/Linux user, admin, and developer - https://www.debian.org/
`. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
`- NP: Pink Floyd: Welcome To The Machine
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital Signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20160607/50a1bc12/attachment-0001.sig>
More information about the pkg-perl-maintainers
mailing list