KDE Gear and hotfix releases, how to see whether a user has the hotfix?
Friedrich W. H. Kossebau
kossebau at kde.org
Mon Oct 25 00:57:58 BST 2021
(distributions as CC: as they are stakeholders on the matter)
while discussing a potential move to KDE Gear (or rather, the great automatic
Release service part), the question came up how cases of urgent fixes are
handled, especially when it comes to identifying products at users whether
they have a respectively fixed version.
the application Foo gets released as version 2.1.3. A day after release a
security issue is found. A hotfix is quickly written and pushed to the
repository. The patch-level version is bumped, new release is done the same
The version number in the tarball name, the one of the packages created by
distributions and the one displayed by the application at runtime all properly
tell whether this is a version with the hotfix or not.
So both users and developers know they talk about the same variant of the
software (at least when it comes to the hotfix).
KDE GEAR: BREAKING EXPECTATIONS
If Foo was to released with KDE Gear, the same experience should be possible.
Right now though this seems not easily possible, due to the strict scheme in
the schedule as well as the version data used.
ASKING DISTRIBUTIONS TO JUST PATCH?
It seems a practice is post-release to simply ping the distributions on the
distributions ML, point them to a commit to apply as patch and be done.
But does that work good enough? E.g. how can users & developers later know in
a consistent way if an instance of the software really has the hotfix, or if
some issue seen by the user has another cause?
Digging into distribution-specific packaging to find which patches are applied
is not considered a sensible solution not only by me.
Also might distributions/packagers fancy real source tarballs w/ matching tags
over adding custom patches in the package specs.
WAITING WEEKS FOR NEXT SCHEDULED RELEASE?
Alternatively waiting up to a full month until the next patch release gets out
in such cases also seems not user-friendly (and not developer-friendly, when
they have to face the issue reports of users as result in the meantime).
CAN WE HAVE KDE GEAR DO INDIVIDUAL AND VERSIONED HOTFIX RELEASES?
So ideally KDE Gear has an option to do intermediate hotfix releases of
individual software as well, with proper identifier in the version.
Two challenges I see:
a) a simple way to run the KDE Gear scripts for an individual package
b) have an extended KDE Gear version scheme, to be able to denote any
additional hotfix releases (e.g. for tag, package name, UI version strings).
I know this will make things more complicated for KDE Gear. But it makes more
things easier at other places later. And once in place, it hopefully should
not cost more.
Should be in bed now, but sending off to trigger your initial reactions and
thoughts and comments. More from me later the week.
More information about the release-team