Quoting David Seaward (2019-11-04 20:55:31)
On Thu, 2019-10-24 at 21:55 +0200, David Seaward wrote:
On Thu, 2019-10-24 at 20:11 +0200, Jonas Smedegaard wrote:
Concretely, David Seaward wants ldh-gui-suite added, but makes sense to me to address this generally, eary on.
I raised this recently and the feedback was that PureOS should considered directly under our (Purism's) control. So, for example, we can release Liberty packages at any rate we (the Librem One team) are comfortable maintaining.
Obvious issues that spring to mind are:
- Is the package ready for an everyday audience?
Here I'd like to confirm we have some kind of QA process before a Liberty package hits PureOS stable.
- Do we require updates to dependency packages?
We must strenuously avoid this, otherwise we have to maintain these packages ourselves, rather than inheriting Debian's maintenance effort. Development dependencies must be pinned to match whatever is available in PureOS stable.
- How do we handle releases to PureOS stable and PureOS next?
Liberty packages MUST always work on PureOS stable. They SHOULD work on PureOS next. If they stop working on PureOS next, we aim to get them working on both again, but only as resources allow.
Jonas, are there other maintenance concerns that I've overlooked?
4. How do we ensure packages are truly _maintained_ (not only added)?
What are criteria for _removing_ packages? How to we ensure those criteria is met? How do we detect packages weakly maintained? What to do if we know about weakly maintained packages but lack the resources to address the issues?
5. Wat about security?
Who correlates our packages with CVEs? What to do by whom when a package has security flaws? ...which doesn't get addressed in a timely fashion? ...which involves embargoing?
- Jonas