Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I personally love and use Debian exactly for its principles and stability.

I have heard users of other distros and a few upstream complaint that Debian "modifies" their packages?

Is it so? If yes, there surely must be a good reason. Can someone tell me about it?



There's mainly three kinds of patches:

* make the software behave like Debian needs it (configuration is stored somewhere in /etc/, no additional downloads at runtime, use the system libraries instead of vendored ones) * security backports. Debian freezes the functionality at release and only provides security updates. Many software nowadays just includes security fixes in new releases bundled with new functionality.

In combination these two kinds of patches lead to growing differences between a Debian released version 1.2 and the "real" 1.2, making it harder to handle bug reports (e.g. you get a bug report for version 1.2-Debian, but only support the "real" version 1.4 with a whole set of updated libraries).

The third kind of patch has mostly gone out of style; it's when Debian thinks they can improve the software. That lead to things like removing randomness from SSH keys: https://github.com/g0tmi1k/debian-ssh


Another kind of patch is when a common dependency library is being updated, and laggard upstreams need patching to make their current releases work against the newer library; it's either that or a Debian release with those packages missing.

This type is actually really common. Debian packages something like 30k upstreams, and so some are always behind.


Do they just patch the package in Debian or do they submit them upstream?


Usually both, submit upstream and add the patch to Debian while waiting for upstream to accept the patch.


There are two main ways of developing your software.

1. Incremental versions. Think like Chrome, there are not bug fixes, just new versions that may contain bug fixes.

2. Major versions, where you'll end up with semver style versioning. You'll have version 1 and version 2, but you'll also get version 1.1 released after 2 as it is the same as version 1, but with just a bugfix applied.

Debian essentially will only work with the second methodology, as they are API stable, which makes software developed by the first method incompatible.

To work around this Debian will backport "fixes" from version 3 to version 1, and create their own version 1.debian-2. The problem here is that people will now raise bugs with upstream on behaviour that was never released.

Yes Debian is allowed to do this, but upstream is also allowed to be unhappy with the additional workload that Debian puts on them.


Debian has a user-first philosophy as well as a focus on integration between packages. When required, that means patching upstreams that don't meet that expectation for whatever reason. The ability to do this is precisely the point of Free Software.


This is not always good. See https://www.debian.org/security/2008/dsa-1571


Applying patches increases the cost of making changes.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: