undefined | Better HN

0 pointsSir_Cmpwn7y ago0 comments

Patches speak louder than bugs. The source material used to prepare the packages is often available and sending a patch to the maintainer's inbox (or other maintainers in similar software if the maintainer is unresponsive) is a sure way to make it easier for them to accomodate you.

0 comments

3 comments · 1 top-level

takluyver7y ago· 2 in thread

So if the maintainers haven't done something, we should assume it's upstream's fault for not making it convenient enough for them, or not prompting them enough? For every distro that has packaged their code?

There are real downsides to the maintainer system - it creates a lot of extra, uninteresting work, and frequently no-one's that interested in doing it, especially for smaller packages. That's why there's so much interest in other models.

To give another example, if you install jupyter-notebook through apt on Ubuntu 18.04 today, you get a version with a security issue (CVE-2018-8768) that upstream released a fix for months ago. Package maintainers are not making anyone safer there.

Sir_CmpwnOP7y ago

It's everyone's fault. The upstream, the maintainer, and the users. The first person who becomes aware of an issue should take steps to resolve it. By distributing this along everyone you make sure that there's enough hands to do the work and people can specialize in supporting the packages they want to work on. Maintaining a package is not hard.

This isn't some hypothetical, for the record. I'm explaining how this actually works in practice.

takluyver7y ago

The package maintainer system doesn't add additional people to share the same work, it creates additional bits of work for different people to do. Upstream can release a fix, and it doesn't get propagated to people on distro X because the package maintainer for X is busy with work, or is a parent now, or just isn't interested in the package any more. And if one proactive maintainer patches an issue, it doesn't help users on all the other distros, or users who get it directly from upstream.

You're explaining how this works in response to concrete examples of where it hasn't worked. I understand how distro packaging works for some packages, but I've seen it fall down too many times for others, especially more niche things.

j / k navigate · click thread line to collapse