Rendered at 05:36:56 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
crote 4 hours ago [-]
> When Debian or a Linux distribution ships a dependency they take responsibility of it. If there is a security issue and it’s not fixed by the developer upstream, they fix it for their users.
Do they?
In my experience a large bunch of packagers are fairly absent, with their patches often causing more issues than they solve and them offering essentially zero support. Want to file a bug report? The Ubuntu packager doesn't respond, the Debian packager isn't interested because you're not using the Debian version, and the upstream packager closes it as "can't reproduce" because the issue doesn't happen with the original source - provided it wasn't already fixed five releases ago, of course.
I've submitted full bug reports with patches fixing them to Ubuntu, just to see it get automatically closed a couple of years later as the version is no longer supported. Nobody ever looked at it. Using self-compiled upstream code and hitting an issue? When I file a bug report directly upstream it's not uncommon to get a fix a day or two later.
There's a reason Flatpak & friends have gotten so popular: a lot of people just want the upstream version. No weird patches or changes, no ancient versions staying around because some new dependency hasn't been packaged yet.
Obviously we shouldn't be harassing upstream developers for not writing patches fast enough, but let's not pretend that the traditional packaging system was/is perfect: it works fairly well for the base system, but it falls apart pretty quickly when it comes to more obscure packages.
sscaryterry 12 hours ago [-]
Cannot agree more. At every single company I’ve worked, there have always been patch sets that were maintained to fix issues that wouldn’t be accepted upstream. This however, does not absolve the upstream maintainer. Striking the balance is essential.
Do they?
In my experience a large bunch of packagers are fairly absent, with their patches often causing more issues than they solve and them offering essentially zero support. Want to file a bug report? The Ubuntu packager doesn't respond, the Debian packager isn't interested because you're not using the Debian version, and the upstream packager closes it as "can't reproduce" because the issue doesn't happen with the original source - provided it wasn't already fixed five releases ago, of course.
I've submitted full bug reports with patches fixing them to Ubuntu, just to see it get automatically closed a couple of years later as the version is no longer supported. Nobody ever looked at it. Using self-compiled upstream code and hitting an issue? When I file a bug report directly upstream it's not uncommon to get a fix a day or two later.
There's a reason Flatpak & friends have gotten so popular: a lot of people just want the upstream version. No weird patches or changes, no ancient versions staying around because some new dependency hasn't been packaged yet.
Obviously we shouldn't be harassing upstream developers for not writing patches fast enough, but let's not pretend that the traditional packaging system was/is perfect: it works fairly well for the base system, but it falls apart pretty quickly when it comes to more obscure packages.