[PureOS] policy for level of stability of PureOS stable

Jonas Smedegaard jonas.smedegaard at puri.sm
Tue Nov 5 02:55:51 PST 2019


Quoting David Seaward (2019-11-04 20:55:31)
> On Thu, 2019-10-24 at 21:55 +0200, David Seaward wrote:
> > On Thu, 2019-10-24 at 20:11 +0200, Jonas Smedegaard wrote:
> > > Concretely, David Seaward wants ldh-gui-suite added, but makes 
> > > sense to me to address this generally, eary on.
> 
> I raised this recently and the feedback was that PureOS should 
> considered directly under our (Purism's) control. So, for example, we 
> can release Liberty packages at any rate we (the Librem One team) are 
> comfortable maintaining.
> 
> Obvious issues that spring to mind are:
> 
> 1. Is the package ready for an everyday audience?
> 
> Here I'd like to confirm we have some kind of QA process before a 
> Liberty package hits PureOS stable.
> 
> 2. Do we require updates to dependency packages?
> 
> We must strenuously avoid this, otherwise we have to maintain these 
> packages ourselves, rather than inheriting Debian's maintenance 
> effort. Development dependencies must be pinned to match whatever is 
> available in PureOS stable.
> 
> 3. How do we handle releases to PureOS stable and PureOS next?
> 
> Liberty packages MUST always work on PureOS stable. They SHOULD work 
> on PureOS next. If they stop working on PureOS next, we aim to get 
> them working on both again, but only as resources allow.
> 
> Jonas, are there other maintenance concerns that I've overlooked?

4. How do we ensure packages are truly _maintained_ (not only added)?

What are criteria for _removing_ packages?  How to we ensure those 
criteria is met?  How do we detect packages weakly maintained?  What to 
do if we know about weakly maintained packages but lack the resources to 
address the issues?

5. Wat about security?

Who correlates our packages with CVEs?  What to do by whom when a 
package has security flaws?  ...which doesn't get addressed in a timely 
fashion? ...which involves embargoing?


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: signature
URL: <http://lists.puri.sm/pipermail/pureos-project/attachments/20191105/2cb8e85c/attachment.sig>


More information about the PureOS-project mailing list