[Ubuntuone-users] CouchDB 1.0 SRU to 10.04 LTS

[Micah Gersten]

On 11/27/2010 09:55 PM, Rodney Dawes wrote:
> On Sat, 2010-11-27 at 12:10 -0800, Clint Byrum wrote:
>> Also, why would 10.10 need to be updated in any way if it already
>> supports the newer protocol?
> In 10.10 and 11.04, we already ship CouchDB 1.0. Why should users
> continue to have two versions installed after an upgrade to either of
> those versions of Ubuntu? We will have to ship updates so that the
> package splitting we might do, would be reconciled on upgrade.
>
>>> There are also other security fixes included in the set of changes from
>>> 0.10 to 1.0, which means anyone actually using 0.10 is probably going to
>>> have to update anyway.
>>>
>> Our security team backports security fixes to the released version in an
>> LTS, so I'm not sure how that is relevant.
> The situation is similar to that of Firefox. CouchDB is not a simple
> package. The fixes are not simply applied to the older version. They are
> fairly invasive. Otherwise, we wouldn't be having this 3 month long
> conversation trying to come up with an amicable solution for all
> parties, as we would have already backported the fix we need. And I'm
> sure an SRU would have been in that case, were it possible. With Firefox
> and other Mozilla projects in the past, security updates have been
> issued by upgrading to a newer major version of the package in question.
Firefox is not a client library that others base applications on. 
Xulrunner is, however, when we did a major upgrade of xulrunner in
Hardy, we left the xulrunner-1.9 source package and added a
xulrunner-1.9.2 source.  We ported the vulnerable applications to the
xulrunner-1.9.2 source.  This left the 3rd party applications to update
on their own if they chose to.  Also, Firefox has a Microrelease
exception.  If this is going to be an ongoing problem for couchdb, there
should be a discussion about how to handle upgrades on a regular basis.

Micah