nginx package signature guarantees with Xenial?

Jeff Kaufman jefftk at google.com
Fri Jun 24 19:06:13 UTC 2016 

Thanks for the quick reply!  Responses inline.

On Fri, Jun 24, 2016 at 10:11 AM, Robie Basak <robie.basak at ubuntu.com> wrote:
>
> I think the ubuntu-server mailing list is probably more appropriate to
> reach the right audience for this discussion, so I'm moving the thread
> there.

Thanks!

> Unfortunately I think this rules out your proposal. We do what we call
> "micro release updates" (MREs) when appropriate. Generally, if an
> upstream has a stable release branch, have a policy of applying only
> bugfixes to that branch, and has decent test coverage, then we're open
> to using it.

Yes, it does sound like what I'm proposing wouldn't work for you.

> Have you considered adding your module to Ubuntu's repositories? Is
> there any reason you couldn't maintain them in xenial-backports for the
> benefit of Xenial users, for example?

That's possible.  I don't have a great sense of what that would
entail.  For example, if the nginx package maintainer updated nginx,
the package for ngx_pagespeed would need to be rebuilt.  Is there a
good way to handle this?

But it does seem to me like getting ngx_pagespeed (and mod_pagespeed)
into Ubuntu's repos would make things a lot easier for people to
install it.

> IMHO heavy dependency on an exact version is never good - it's better
> for the wider ecosystem if there is focus on the actual ABI instead of
> some signature that gets bumped "too often" in order to more easily
> allow external modules such as yours.

Completely agree.  I wish Nginx had decided to go with an ABI.

> Right now,
> when the Ubuntu security team update MySQL to a newer upstream version
> (from the same upstream stable branch), they also issue a "no change
> rebuild" update of pinba-engine-mysql. This way users don't need to
> compile anything and it all just works.

That does sound exactly like the setup we'd need.

> Note that it's 16.04, not just 16. 16 will be ambiguous when a
> subsequent 16.10 is released.

But "16 LTS" isn't ambiguous, right?

Jeff

More information about the ubuntu-server mailing list