[Pkg-javascript-devel] Bug#980291: Bug#980291: Bug#980291: Bug#980291: Bug#980294: libjs-jquery-flot: breaking API change

Tue Jan 19 08:45:22 GMT 2021

On 2021, ജനുവരി 19 2:46:30 AM IST, Xavier <yadd at debian.org> wrote:
>Le 18/01/2021 à 18:47, Pirate Praveen a écrit :
>Maintaining an unsupported version means taking the risk to be unable to
>backport a security fix during stable life and LTS (we already have many
>examples).
>_Before freeze_, I prefer having updated libraries, take the risk to
>break sometime something, and patch reverse dependencies (with an
>upstream PR when useful): breaking a little testing/unstable is not a

It is not about breaking as such, but breaking without coordination and planning that is the problem. We have a release team and transition process for a reason. I don't think uploading breaking changes without giving adequate notice and warning is OK.

>drama. But we are a team, if the team prefer to take the security risk,
>then OK, I'll stop updating any libjs-* package (and stop tearing my
>hair to patch obsolete packages when a CVE exists).

It is not black or white, either not update or update without coordination. There is grey in the middle update after giving sufficient time for people to respond.

>For the rhythm, most of libjs/node-* packages were strongly outdated in
>Buster, the sustained pace of 2020 only partially made up for the
>accumulated delay and the related technical debt.

These libraries are used by applications and having updated libraries but broken applications is not a good situation.

Finding which update broke your application when there are many updates is painful and stressful. If you at least know which update broke your application the situation is much better.

>Anyway, we entered freeze, it's not time to update anything not needed,
>except minor and tested updates, but I'm happy to have updated a lot of
>packages before freeze even if it has broken unstable sometime.
>I feel the [1] dashboard better now than before Buster release.
>
>[1]:
>https://udd.debian.org/dmd/?email1=pkg-javascript-devel%40lists.alioth.debian.org&format=html
>

I appreciate all your work in this regard, I'm only asking you to give more time between experimental to unstable updates and filing bugs in case some applications are in reverse dependencies and don't have functional tests.

I appreciate your work in getting tests enabled in more packages, but we don't have 100% test coverage so some tests have to be done manually and you need a warning for people to do that.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.