I am not an RM. I have been reviewing some stretch-pu requests in an
effort to help out the release managers. I have reviewed this bug
log, and taken a look at the debdiff.
tl;dr: IMO this update needs better justification. It also requires a
greater level of frankness about the downsides or risks of the
update. Nevertheless it may be better to take it.
Possible COI warning: I have had occasional disagreements with gnupg
upstream, relating to my own experiences with gnupg2 in a dgit
context. However, I don't think that has affected my opinion on this
request. I have given it the same level of scrutiny as my other
recent reviews.
So: I looked at the debdiff provided in #11.
The first thing that struck me was the very large update to scdaemon.
I tried to find a discussion of the specific changes, and the
potential risks. But I was not able to do so. All we have in the bug
report and debdiff is
+Backport from master branch:
+ 99d4dfe83
+ e2792813a
+ 031e3fa7b
+Additionally, fix another bug when tested with 2.1.18-7 with PC/SC.
in what appears to be an upstream commit message to a stable branch.
The use of the upstream's stable branch requires justification (unless
the upstream processes are very high-quality and self-documenting, as
I found for example with most of my KDE reviews0. Specifically, using
an upstream branch requires consideration of upstream's processes
(including any realistic critical analysis which may be relevant).
This is so that we can weigh up the risks of updating by taking
upstream's branch, vs. by trying to cherry pick individual fixes.
The only commentary about this aspect of the update is this:
Most fixes are all pulled from upstream to make it easier to
integrate future security patches,
It is not quite clear to me exactly which upstream branch we are
talking ab out (and whether we are talking about an upstream release
at all, or a "git fetch").
All of this left me with a lot of unanswered questions.
I tried persevering. I found it very difficult to correlate the
information found in #863734 with the diffs etc. For example, we
have:
The bugs addressed include:
#862032
#854359
#854829
#834922
#858082
This unblock would also address the concerns rasied around
win32-loader by odyx.
I went and looked up some of these bugs and many of them do seem to be
things we should fix. But relating them to the upstream commits is
hard.
The comment about win32-loader seems to be a reference to #864973
etc., and the fact that (AFAICT) win32-loader includes gpgv. I don't
know what "concerns" there are.
My view is that it is for the submitter of a stretch-pu or release
unblock request to
- make the case
- supply all necessary information
- frankly disclose any risks of the update
- explain the Debian project's alternative choices
- provide the RMs and reviewers with good pointers so that
the review is easy to conduct
Having said all that, there are clearly some important bugfixes here.
The risk of delaying may be worse than the risk of taking these
changes, even though we don't have the level of confidence we would
like.
Ian.
