<div dir="ltr">In the past, when chromium has changed it's build dependencies, debian-security / chromium debian maintainers have chosen to drop security support for chromium rather than update the build-dependencies:<div> <a href="https://lists.debian.org/debian-security-announce/2015/msg00031.html">https://lists.debian.org/debian-security-announce/2015/msg00031.html</a></div><div><br></div><div>I don't want to suggest the same decision will be made if/when that situation arises again (the decision isn't up to me), but I will note that chromium-browser doesn't seem to have involved build-dependencies that are not already in debian-stable across the various chromium stable/security updates to date.  (So we haven't triggered that decision point again yet)</div><div><br></div><div>Ralph: Updating rustc in stable so stable users have access to the latest and greatest language is categorically *not* a motivation for Debian. Debian stable is for users who want minimal changes to their environment.  stable-backports is opt-in by users, held to a lower quality/testing standard and *is* open to exactly this sort of use case - but -backports doesn't help with potential firefox security updates to stable proper.</div><div><br></div><div> - Gus</div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, 31 Aug 2016 at 08:26 Mike Hommey <<a href="mailto:mh@glandium.org">mh@glandium.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, Aug 30, 2016 at 05:38:23PM +0300, Henri Sivonen wrote:<br>
> On Tue, Aug 30, 2016 at 5:35 PM, Sylvestre Ledru <<a href="mailto:s@mozilla.com" target="_blank">s@mozilla.com</a>> wrote:<br>
> > Le 30/08/2016 à 16:30, Henri Sivonen a écrit :<br>
> >> On Tue, Aug 30, 2016 at 5:27 PM, Sylvestre Ledru <<a href="mailto:s@mozilla.com" target="_blank">s@mozilla.com</a>> wrote:<br>
> >>> Le 30/08/2016 à 16:18, Henri Sivonen a écrit :<br>
> >>>> On Fri, Aug 26, 2016 at 1:48 PM, Mike Hommey <<a href="mailto:mh@glandium.org" target="_blank">mh@glandium.org</a>> wrote:<br>
> >>>>> - By the time ESR requires rustc, it will require a very much more<br>
> >>>>>Â Â recent version of rustc than the one in Debian stable. Rustc currently<br>
> >>>>>Â Â only be compiled, at best, by the previous version. Which means either<br>
> >>>>>Â Â building every released version of rustc between the one shipped in<br>
> >>>>>Â Â Debian stable and the one required by ESR in sequence, or<br>
> >>>>>Â Â bootstrapping rustc from scratch. (and same again a year later, when<br>
> >>>>>Â Â the ESR version bumps)<br>
> >>>> This would be neatly solved by Debian stable updating both Firefox and<br>
> >>>> rustc every six weeks like Debian stable updates our competitor<br>
> >>>> Chromium. (This would nicely also eliminate the complication of people<br>
> >>>> who want to write Rust code having to know to avoid from main and to<br>
> >>>> go to backports or to <a href="http://rustup.rs" rel="noreferrer" target="_blank">rustup.rs</a> instead.)<br>
> >>> If we are talking about Firefox ESR, my expectation from my release manager pov<br>
> >>> is that we will use the same version of the rust compiler for the whole cycle.<br>
> >>> I don't want rust changing versions impacting a product that we want to be stable...<br>
> >>><br>
> >>> Once an ESR cycle ends (they are shorter than Debian stable), well, bumping the rust<br>
> >>> dependency is going to be a pain because of the LLVM dependency...<br>
> >>> This is the core of the issue...<br>
> >> I meant non-ESR. If Debian shipped non-ESR Firefox + latest stable<br>
> >> rustc every six weeks, there wouldn't be a rustc bump over many<br>
> >> versions.<br>
> >><br>
> > Debian won't ship Firefox in stable, only Firefox-esr.<br>
><br>
> Why not considering that a) Debian ships Chromium every six weeks in<br>
> stable and b) as noted above shipping non-ESR Firefox would make the<br>
> Rust situation simpler?<br>
<br>
For some value of simpler.<br>
<br>
Chromium in Debian is updated in stable, yes, but not in oldstable.<br>
Firefox ESR is.<br>
<br>
Chromium in Debian is only available on amd64 and i386. Firefox ESR is<br>
available on those, as well as arm64, armel, armhf, mips, mipsel,<br>
powerpc, ppc64el, s390x, kfreebsd-amd64, kfreebsd-i386 (although the<br>
latter two are not released architectures).<br>
<br>
Every new release of Firefox tends to break one of the non-major<br>
platforms. It's very much easier to fix those on a one-year schedule<br>
than on a 6-week schedule.<br>
<br>
You could argue that Mozilla would rather Firefox be updated every<br>
6-weeks on amd64 and i386 only, but Debian has different goals than<br>
Mozilla.<br>
<br>
You could argue that the effort is useless for a very low or inexistent<br>
number of users, and that might be true, but Debian has different goals<br>
than Mozilla.<br>
<br>
Chromium has much less users in Debian than Firefox (ESR)/Iceweasel has.<br>
<br>
These are the main reasons, off the top of my head. I'm sure there are<br>
others.<br>
<br>
Mike<br>
</blockquote></div>