[Pkg-rust-maintainers] Facilitating Firefox+Rust Linux distro packaging

Angus Lees gus at debian.org
Wed Aug 31 02:59:51 UTC 2016 

In the past, when chromium has changed it's build dependencies,
debian-security / chromium debian maintainers have chosen to drop security
support for chromium rather than update the build-dependencies:
 https://lists.debian.org/debian-security-announce/2015/msg00031.html

I don't want to suggest the same decision will be made if/when that
situation arises again (the decision isn't up to me), but I will note that
chromium-browser doesn't seem to have involved build-dependencies that are
not already in debian-stable across the various chromium stable/security
updates to date.  (So we haven't triggered that decision point again yet)

Ralph: Updating rustc in stable so stable users have access to the latest
and greatest language is categorically *not* a motivation for Debian.
Debian stable is for users who want minimal changes to their environment.
 stable-backports is opt-in by users, held to a lower quality/testing
standard and *is* open to exactly this sort of use case - but -backports
doesn't help with potential firefox security updates to stable proper.

 - Gus

On Wed, 31 Aug 2016 at 08:26 Mike Hommey <mh at glandium.org> wrote:

> On Tue, Aug 30, 2016 at 05:38:23PM +0300, Henri Sivonen wrote:
> > On Tue, Aug 30, 2016 at 5:35 PM, Sylvestre Ledru <s at mozilla.com> wrote:
> > > Le 30/08/2016 à 16:30, Henri Sivonen a écrit :
> > >> On Tue, Aug 30, 2016 at 5:27 PM, Sylvestre Ledru <s at mozilla.com>
> wrote:
> > >>> Le 30/08/2016 à 16:18, Henri Sivonen a écrit :
> > >>>> On Fri, Aug 26, 2016 at 1:48 PM, Mike Hommey <mh at glandium.org>
> wrote:
> > >>>>> - By the time ESR requires rustc, it will require a very much more
> > >>>>>   recent version of rustc than the one in Debian stable. Rustc
> currently
> > >>>>>   only be compiled, at best, by the previous version. Which means
> either
> > >>>>>   building every released version of rustc between the one shipped
> in
> > >>>>>   Debian stable and the one required by ESR in sequence, or
> > >>>>>   bootstrapping rustc from scratch. (and same again a year later,
> when
> > >>>>>   the ESR version bumps)
> > >>>> This would be neatly solved by Debian stable updating both Firefox
> and
> > >>>> rustc every six weeks like Debian stable updates our competitor
> > >>>> Chromium. (This would nicely also eliminate the complication of
> people
> > >>>> who want to write Rust code having to know to avoid from main and to
> > >>>> go to backports or to rustup.rs instead.)
> > >>> If we are talking about Firefox ESR, my expectation from my release
> manager pov
> > >>> is that we will use the same version of the rust compiler for the
> whole cycle.
> > >>> I don't want rust changing versions impacting a product that we want
> to be stable...
> > >>>
> > >>> Once an ESR cycle ends (they are shorter than Debian stable), well,
> bumping the rust
> > >>> dependency is going to be a pain because of the LLVM dependency...
> > >>> This is the core of the issue...
> > >> I meant non-ESR. If Debian shipped non-ESR Firefox + latest stable
> > >> rustc every six weeks, there wouldn't be a rustc bump over many
> > >> versions.
> > >>
> > > Debian won't ship Firefox in stable, only Firefox-esr.
> >
> > Why not considering that a) Debian ships Chromium every six weeks in
> > stable and b) as noted above shipping non-ESR Firefox would make the
> > Rust situation simpler?
>
> For some value of simpler.
>
> Chromium in Debian is updated in stable, yes, but not in oldstable.
> Firefox ESR is.
>
> Chromium in Debian is only available on amd64 and i386. Firefox ESR is
> available on those, as well as arm64, armel, armhf, mips, mipsel,
> powerpc, ppc64el, s390x, kfreebsd-amd64, kfreebsd-i386 (although the
> latter two are not released architectures).
>
> Every new release of Firefox tends to break one of the non-major
> platforms. It's very much easier to fix those on a one-year schedule
> than on a 6-week schedule.
>
> You could argue that Mozilla would rather Firefox be updated every
> 6-weeks on amd64 and i386 only, but Debian has different goals than
> Mozilla.
>
> You could argue that the effort is useless for a very low or inexistent
> number of users, and that might be true, but Debian has different goals
> than Mozilla.
>
> Chromium has much less users in Debian than Firefox (ESR)/Iceweasel has.
>
> These are the main reasons, off the top of my head. I'm sure there are
> others.
>
> Mike
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-rust-maintainers/attachments/20160831/bbee795b/attachment-0001.html>

More information about the Pkg-rust-maintainers mailing list