[Python-apps-team] Bug#500781: ubuntu/debian repos

Vincent Danjean vdanjean.ml at free.fr
Fri Oct 3 13:15:28 UTC 2008 

Martin Geisler wrote:
> "Ken Blake" <kblake2 at gmail.com> writes:
> 
>> I've been meaning to ask about why the Ubuntu hardy repo was so out
>> of date. It currently has v0.9.5. I googled Vincent and found this
>> page:
>> http://www-id.imag.fr/Laboratoire/Membres/Danjean_Vincent/deb.html#mercurial
>> which shows the package name to be mercurial_1.0-7~bpo40+1_i386.deb
>> which I assume means it is version 1.0.
> 
> Correct, but the "bpo" part also tells you that this is a package for
> backports.org -- a place where people upload newer versions of
> packages for the stable Debian releases.

My web page is not always uptodate... ;-)

>> But when I look at the Debian site:
>> http://packages.debian.org/etch/mercurial it lists mercurial
>> (0.9.1-1+etch1) which implies an even older version than Ubuntu.
> 
> The current stable Debian release is etch, and this was released in
> April 2007. The next stable release (the "testing" distribution called
> lenny) will contain 1.0.1:

Unless big security bugs, Debian packages of the stable release are never
updated. Currently, the stable release is etch. The next one, lenny, is in
preparation. It will have mercurial 1.0.1 because 1.0.2 has been released
after the freeze (ie near a release, packages cannot be updated in Debian
unless security bug. And only patch for this bug can be backported)

Hint: if anyone can point me to a specific changeset to fix the second
security bug fixed in 1.0.2 ("Mercurial before 1.0.2 does not enforce the
allowpull permission"), I will backport it to 1.0.1 in the next Debian
release (see http://bugs.debian.org/500781 )

>   http://packages.debian.org/search?keywords=mercurial
> 
>> So my interpretation of this is Ubuntu and Debian are not in sync
>> and Vincent has done an upgrade but it hasn't been accepted yet? I
>> don't really know how these things work.
> 
> Debian has an unstable distribution where new stuff is uploaded. After
> 14 days (normally) a package can move to the testing distribution
> provided that no new bugs were reported. Once in a while the testing
> distribution is released -- it is then called stable. Packages in
> stable receive security updates only, even if projects release newer
> versions.

It is true but near a Debian release, package cannot not be updated in 14 days
anymore.
So, for Debian :
- etch has an very old mercurial version (0.9.1) and will always keep it
- lenny (the next stable release) has version 1.0.1 (+ patch(es?) for security bugs)
- backport.org (package from lenny rebuilt for etch) has also 1.0.1
When lenny will be released (in a few weeks ?)
- etch will not change (0.9.1)
- lenny will have 1.0.1 (+ patch(es?) for security bugs)
- squeeze (the one after lenny) will have 1.0.2 and any new mercurial version
  before squeeze release
- backport.org will also have 1.0.2 for lenny (and etch if I have enough time)

I do not know how/when Ubuntu takes Debian packages to include them in Ubuntu.
(I do not follow Ubuntu development)

  Regards,
    Vincent

-- 
Vincent Danjean                 Adresse: Laboratoire d'Informatique de Grenoble
Téléphone:  +33 4 76 61 20 11            ENSIMAG - antenne de Montbonnot
Fax:        +33 4 76 61 20 99            ZIRST 51, avenue Jean Kuntzmann
Email: Vincent.Danjean at imag.fr           38330 Montbonnot Saint Martin

More information about the Python-apps-team mailing list