-usual package maintainer to make a release of a package. For example,
-a porter for another architecture may have to make some small changes
-to the source package and does not wish to wait with uploading their
-release until the main maintainer has incorporated the patch, or a
-serious security problem or bug may have come to light requiring
-immediate attention.
- <p>
-When a security bug is detected a fixed package should be uploaded as
-soon as possible. In this case, the Debian Security Managers should
-get in contact with the package maintainer to make sure a fixed
-package is uploaded within a reasonable time (less than 48 hours). If
-the package maintainer cannot provide a fixed package fast enough or
-if he/she cannot be reached in time, the Security Manager may upload a
-fixed package.
- <p>
-When someone other than the usual maintainer releases a package they
-should add a new component to the <var/debian-revision/ component of
-the version number--that is, the portion after the (last) hyphen.
-This extra component will start at <tt/1/. This is to avoid
-`stealing' one of the usual maintainer's version numbers, possibly
-disrupting their work. If there is no <var/debian-revision/ component
-in the version number then one should be created, starting at <tt/1/.
- <p>
-If it is absolutely necessary for someone other than the usual
-maintainer to make a release based on a new upstream version then the
-person making the release should start with the <var/debian-revision/
-value <tt/0.1/. The usual maintainer of a package should start their
-<var/debian-revision/ numbering at <tt/1/.
- <p>
-Maintainers other than the usual package maintainer should make as few
-changes to the package as possible, and they should always send a
-unified context diff (<tt/diff -u/) detailing their changes to the bug
-tracking system properly flagged with the correct package so that the
-usual maintainer is kept aware of the situation.
- <p>
-If the non-maintainer upload (as known as an "NMU") fixes some
-existing bugs, the bug reports should not be closed. Technically,
-only the official package maintainer or the original bug submitter are
-allowed to close bugs. However, the person making the non-maintainer
-release should send a short message to the bug tracking system to all
-the fixed bugs explaining that they have been fixed. Using
-<email/control@bugs.debian.org/, the party doing the NMU should also
-set the severity of the bugs fixed in the NMU to "fixed". This
-ensures that everyone knows that the bug was fixed in an NMU; however
-the bug is left open until the changes in the NMU are incorporated
-"officially" into the package by the official package maintainer.
- <p>
-The normal maintainer should do at least one of the following:
- <list compact>
+official package maintainer to make a release of a package. This is
+called a non-maintainer upload, or NMU.
+ <p>
+Debian porters, who compile packages for different architectures, do
+NMUs as part of their normal porting activity (see <ref
+id="porting">). Another reason why NMUs are done is when a Debian
+developers needs to fix another developers' packages in order to
+address serious security problems or crippling bugs, especially during
+the freeze, or when the package maintainer is unable to release a fix
+in a timely fashion.
+ <p>
+This chapter contains information providing guidelines for when and
+how NMUs should be done. A fundamental distinction is made between
+source and binary NMUs, which is explained in the next section.
+
+ <sect id="nmu-terms">Terminology
+ <p>
+There are two new terms used throughout this section: ``binary NMU''
+and ``source NMU''. These terms are used with specific technical
+meaning throughout this document. Both binary and source NMUs are
+similar, since they involve an upload of a package by a developer who
+is not the official maintainer of that package. That is why it's a
+<em>non-maintainer</em> upload.
+ <p>
+A source NMU is a upload of a package by a developer who is not the
+official maintainer, for the purposes of fixing a bug in the package.
+Source NMUs always involves changes to the source (even if it is just
+a change to <file>debian/changelog</file>). This can be either a change
+to the upstream source, or a change to the Debian bits of the source.
+ <p>
+A binary NMU is a recompilation and upload of a binary package for a
+new architecture. As such, it is usually part of a porting effort. A
+binary NMU is non-maintainer uploaded binary version of a package
+(often for another architecture), with no source changes required.
+There are many cases where porters must fix problems in the source in
+order to get them to compile for their target architecture; that would
+be considered a source NMU rather than a binary NMU. As you can see,
+we don't distinguish in terminology between porter NMUs and non-porter
+NMUs.
+ <p>
+Both classes of NMUs, source and binary, can be lumped by the term
+``NMU''. However, this often leads to confusion, since most people
+think ``source NMU'' when they think ``NMU''. So it's best to be
+careful. In this chapter, if I use the unqualified term ``NMU'', I
+mean both source and binary NMUs.
+
+
+ <sect id="nmu-who">Who can do an NMU
+ <p>
+Only official, registered Debian maintainers can do binary or source
+NMUs. An official maintainer is someone who has their key in the
+Debian key ring. Non-developers, however, are encouraged to download
+the source package and start hacking on it to fix problems; however,
+rather than doing an NMU, they should just submit worthwhile patches
+to the Bug Tracking System. Maintainers almost always appreciate
+quality patches and bug reports.
+
+
+ <sect id="nmu-when">When to do a source NMU
+ <p>
+Guidelines for when to do a source NMU depend on the target
+distribution, i.e., stable, unstable, or frozen. Porters have
+slightly different rules than non-porters, due to their unique
+circumstances (see <ref id="source-nmu-when-porter">).
+ <p>
+Only critical changes or security bug fixes make it into stable. When
+a security bug is detected a fixed package should be uploaded as soon
+as possible. In this case, the Debian Security Managers should get in
+contact with the package maintainer to make sure a fixed package is
+uploaded within a reasonable time (less than 48 hours). If the package
+maintainer cannot provide a fixed package fast enough or if he/she
+cannot be reached in time, the Security Manager may upload a fixed
+package (i.e., do a source NMU).
+ <p>
+During the release freeze (see <ref id="upload-frozen">), NMUs which
+fix important or higher severity bugs are encouraged and accepted.
+Even during this window, however, you should endeavor to reach the
+current maintainer of the package; they might be just about to upload
+a fix for the problem. As with any source NMU, the guidelines found
+in <ref id="nmu-guidelines"> need to be followed.
+ <p>
+Bug fixes to unstable by non-maintainers are also acceptable, but only
+as a last resort or with permission. Try the following steps first,
+and if they don't work, it is probably OK to do an NMU:
+ <p>
+<list>