X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=developers-reference.git;a=blobdiff_plain;f=pkgs.dbk;h=5a34b950251cfa603fddece657ba553e4f4e8561;hp=8e64063dff62c02225baec398d5063458b15ea15;hb=refs%2Fheads%2Fmaster;hpb=16f660dce49a0b56158a66eed5018927c5107917 diff --git a/pkgs.dbk b/pkgs.dbk index 8e64063..5a34b95 100644 --- a/pkgs.dbk +++ b/pkgs.dbk @@ -23,8 +23,9 @@ pages for more information. Assuming no one else is already working on your prospective package, you must then submit a bug report () against the pseudo-package wnpp describing your -plan to create a new package, including, but not limiting yourself to, a -description of the package, the license of the prospective package, and the +plan to create a new package, including, but not limiting yourself to, the +description of the package (so that others can review it), +the license of the prospective package, and the current URL where it can be downloaded from. @@ -100,7 +101,7 @@ of what is going on, and what is new, in the project. -Please see +Please see for common rejection reasons for a new package. @@ -290,9 +291,9 @@ There are several possible values for this field: stable, unstable. -Actually, there are two other possible distributions: stable-security -and testing-security, but read - for more information on those. +Actually, there are other possible distributions: +codename-security, +but read for more information on those. It is not possible to upload a package into several distributions at the same @@ -424,7 +425,7 @@ you might want to give the maintainer a few days to react. An upload to the delayed directory keeps the package in -the deferred uploads queue. +the deferred uploads queue. When the specified waiting time is over, the package is moved into the regular incoming directory for processing. This is done through automatic uploading to @@ -443,8 +444,8 @@ parameter to put the package into one of the queues. Security uploads Do NOT upload a package to the security -upload queue (oldstable-security, stable-security, -etc.) without prior authorization from the security team. If the +upload queue (on security-master.debian.org) +without prior authorization from the security team. If the package does not exactly meet the team's requirements, it will cause many problems and delays in dealing with the unwanted upload. For details, please see . @@ -573,7 +574,7 @@ If you want to be a good maintainer, you should periodically check the Debian bug tracking system (BTS) for your packages. The BTS contains all the open bugs against your packages. You can check them by browsing this page: -http://&bugs-host;/yourlogin@debian.org. +https://&bugs-host;/yourlogin@debian.org. Maintainers interact with the BTS via email addresses at @@ -843,10 +844,9 @@ fixing them themselves, sending security advisories, and maintaining When you become aware of a security-related bug in a Debian package, whether or not you are the maintainer, collect pertinent information about the problem, -and promptly contact the security team, preferably by filing a ticket in -their Request Tracker. -See . -Alternatively you may email &email-security-team;. +and promptly contact the security team by emailing &email-security-team;. If +desired, email can be encrypted with the Debian Security Contact key, see + for details. DO NOT UPLOAD any packages for stable without contacting the team. Useful information includes, for example: @@ -898,7 +898,7 @@ below on how to prepare packages for the Security Team to handle. The Security Tracker The security team maintains a central database, the -Debian Security Tracker. +Debian Security Tracker. This contains all public information that is known about security issues: which packages and versions are affected or fixed, and thus whether stable, testing and/or unstable are vulnerable. Information that is still confidential @@ -983,7 +983,7 @@ has become public. The Security Team has a PGP-key to enable encrypted communication about -sensitive issues. See the Security Team FAQ for details. +sensitive issues. See the Security Team FAQ for details. @@ -1055,7 +1055,7 @@ security archive) References to upstream advisories, CVE identifiers, and any other information +url="https://cve.mitre.org">CVE identifiers, and any other information useful in cross-referencing the vulnerability @@ -1122,11 +1122,10 @@ Be sure to verify the following items: Target the right distribution -in your debian/changelog. -For stable this is stable-security and -for testing this is testing-security, and for the previous -stable release, this is oldstable-security. Do not target -distribution-proposed-updates or +in your debian/changelog: +codename-security +(e.g. wheezy-security). +Do not target distribution-proposed-updates or stable! @@ -1154,8 +1153,9 @@ later distributions. If in doubt, test it with dpkg --compare-versions. Be careful not to re-use a version number that you have already used for a previous upload, or one that conflicts with a binNMU. The convention is to append -+codename1, e.g. -1:2.4.3-4+lenny1, of course increasing 1 for any subsequent ++debXu1 (where +X is the major release number), e.g. +1:2.4.3-4+deb7u1, of course increasing 1 for any subsequent uploads. @@ -1194,8 +1194,8 @@ have such a system yourself, you can use a debian.org machine (see Uploading the fixed package Do NOT upload a package to the security -upload queue (oldstable-security, stable-security, -etc.) without prior authorization from the security team. If the +upload queue (on security-master.debian.org) +without prior authorization from the security team. If the package does not exactly meet the team's requirements, it will cause many problems and delays in dealing with the unwanted upload. @@ -1238,7 +1238,7 @@ on &ftp-master-host;.
-Moving, removing, renaming, adopting, and orphaning packages +Moving, removing, renaming, orphaning, adopting, and reintroducing packages Some archive manipulation operations are not automated in the Debian upload process. These procedures should be manually followed by maintainers. This @@ -1297,7 +1297,7 @@ to these rules when you use it to report a bug against the If you want to remove a package you maintain, you should note this in the bug title by prepending ROM (Request Of Maintainer). There are several other standard acronyms used in the reasoning for a package -removal, see +removal, see for a complete list. That page also provides a convenient overview of pending removal requests. @@ -1341,7 +1341,7 @@ removal request. Further information relating to these and other package removal related topics -may be found at +may be found at and . @@ -1486,6 +1486,55 @@ they will continue to receive the bugs during that time.
+
+Reintroducing packages + +Packages are often removed due to release-critical bugs, absent maintainers, +too few users or poor quality in general. While the process of reintroduction +is similar to the initial packaging process, you can avoid some pitfalls by +doing some historical research first. + + +You should check why the package was removed in the first place. This +information can be found in the removal item in the news section of the PTS +page for the package or by browsing the log of +removals. +The removal bug will tell you why the package was removed and will give some +indication of what you will need to work on in order to reintroduce the package. +It may indicate that the best way forward is to switch to some other piece of +software instead of reintroducing the package. + + +It may be appropriate to contact the former maintainers to find out if +they are working on reintroducing the package, interested in co-maintaining +the package or interested in sponsoring the package if needed. + + +You should do all the things required before introducing new packages +(). + + +You should base your work on the latest packaging available that is suitable. +That might be the latest version from unstable, which will +still be present in the snapshot archive. + + +The version control system used by the previous maintainer might contain useful +changes, so it might be a good idea to have a look there. Check if the control +file of the previous package contained any headers linking to the version +control system for the package and if it still exists. + + +Package removals from unstable (not testing, +stable or oldstable) trigger the +closing of all bugs related to the package. You should look through all the +closed bugs (including archived bugs) and unarchive and reopen any that were +closed in a version ending in +rm and still apply. Any that +no longer apply should be marked as fixed in the correct version if that is +known. + +
+
@@ -1927,8 +1976,20 @@ Before doing an NMU, consider the following questions: -Does your NMU really fix bugs? Fixing cosmetic issues or changing the -packaging style in NMUs is discouraged. +Have you geared the NMU towards helping the maintainer? As there might +be disagreement on the notion of whether the maintainer actually needs +help on not, the DELAYED queue exists to give time to the maintainer to +react and has the beneficial side-effect of allowing for independent +reviews of the NMU diff. + + + + +Does your NMU really fix bugs? ("Bugs" means any kind of bugs, e.g. +wishlist bugs for packaging a new upstream version, but care should be +taken to minimize the impact to the maintainer.) Fixing cosmetic issues +or changing the packaging style (e.g. switching from cdbs to dh) in NMUs +is discouraged. @@ -2011,7 +2072,7 @@ Other NMUs: 10 days Those delays are only examples. In some cases, such as uploads fixing security -issues, or fixes for trivial bugs that blocking a transition, it is desirable +issues, or fixes for trivial bugs that block a transition, it is desirable that the fixed package reaches unstable sooner. @@ -2089,26 +2150,17 @@ It also has the benefit of making it visually clear that a package in the archive was not made by the official maintainer. - If you upload a package to testing or stable, you sometimes need to "fork" the version number tree. This is the case for security uploads, for example. For this, a version of the form -+debXYuZ -should be used, where X and -Y are the major and minor release numbers, and -Z is a counter starting at 1. -When the release number is not yet known (often the case for -testing, at the beginning of release cycles), the lowest -release number higher than the last stable release number must be used. For -example, while Lenny (Debian 5.0) is stable, a security NMU to stable for a -package at version 1.5-3 would have version -1.5-3+deb50u1, whereas a security NMU to Squeeze would get -version 1.5-3+deb60u1. After the release of Squeeze, security -uploads to the testing distribution will be versioned -+deb61uZ, until it is known whether that release will be -Debian 6.1 or Debian 7.0 (if that becomes the case, uploads will be versioned -as +deb70uZ). ++debXuY +should be used, where X is the major release number, +and Y is a counter starting at 1. +For example, while Wheezy (Debian 7.0) is stable, a security NMU to stable for +a package at version 1.5-3 would have version +1.5-3+deb7u1, whereas a security NMU to Jessie would get +version 1.5-3+deb8u1.
@@ -2449,7 +2501,7 @@ scripts. See below for details.
Some further dependency analysis is shown on — but be warned, this page also +url="https://release.debian.org/migration/"> — but be warned, this page also shows build dependencies which are not considered by britney.
@@ -2647,13 +2699,13 @@ before or after this main run, depending on the exact type. If you want to see more details, you can look it up on . +url="https://&ftp-master-host;/testing/update_output/">. The hints are available via , where you can find +url="https://&ftp-master-host;/testing/hints/">, where you can find the -description +description as well. With the hints, the Debian Release team can block or unblock packages, ease or force packages into testing, remove packages from testing, approve uploads to