On Wed, Dec 17, 2014 at 11:00 AM, "P. A. López-Valencia" <vorbote@outlook.com> wrote:
On 17/12/14 09:32, Ido Rosen wrote:
Agreed that everything in "core" should be maximally stable. (Also, following upstream stable releases rather than unstable releases fits just fine with Arch's philosophy of following upstream releases, since unstable releases are really just poorly named release candidates, which we don't usually follow.)
TBH, your argument is a red herring. Arch is about K.I.S.S. and following upstream as close to current as *upstream stable releases* allow. There have been occasions when what you propose has happened, mostly due to the chronic lack of developer hands and time. I can recall the headache it was to move from guile 1.8 to 2.x a little longer than a year ago.
We seem to be in agreement: 2.1.x is not yet in the set of upstream *stable* releases, but 2.0.x is in that set. Therefore, Arch should follow 2.0.x until upstream has marked 2.1.x as stable. Someone made a mistake in upgrading to 2.1, so let's correct the mistake by downgrading back until it's safe, rather than leaving all of Arch's users at great security risk. Let's not forget that gnupg underlies all of Arch's security/integrity (i.e. pacman db and pkg signing) - it's how our users know that Arch is Alice-rch and not Eve-rch. IMO, downgrading is the responsible, smart (not stupid) thing to do, and let's not forget the last "S" in K.I.S.S... :-)
Given that gpg is such a crucial core component of Arch's infrastructure and that gpg 2.1 is NOT stable. Could we switch back to gnupg 2.0.x (stable release) and create a gnupg-modern or gnupg21 package to track gnupg 2.1.x, which should be installable side-by-side with gnupg stable (perhaps with gpg21 as the binary name).
Instead, why not donate to gnupg.org so that the software is truly stable and evolves quickly? One underpaid (and underfed!) developer doesn't give any assurance about the future of the project and the software itself.[1] TL;DR: gnupg's situation is such that the OpenSSL project before the Heartbleed incident looks like a bunch of rich kids clubbing in Ibiza.
I donated, but I do not see your name on the donation list? [0] It can be "in addition to", not "instead". Also, your argument is a straw man: Upstream funding has nothing to do with whether Arch should follow what upstream has marked as a stable release vs. what upstream marked as unstable, not recommended for general use, feature development release; this is especially true of such a critical core component which underlies all of Arch's package distribution security/integrity (i.e. pacman-key). That one underpaid and underfed full time developer you refer to has marked 2.0 as stable and 2.1 as unstable, so upstream has not marked 2.1.x as stable yet. [0] https://www.gnupg.org/donate/kudos.html
[1] https://news.ycombinator.com/item?id=8761896
-- Pedro Alejandro López-Valencia http://about.me/palopezv/
Every nation gets the government it deserves. -- Joseph de Maistre