On Wed, 23 Jul 2025 at 23:53:58 +0200, Simon Josefsson wrote:

Is it forbidden for packages to exist in unstable and/or experimental
only in Debian?

It is allowed. firefox (the non -esr version) and wine-development are
examples of packages that exist only in unstable (with a RC bug to stop
them from migrating to testing), while libsdl3-mixer and openjk are
examples of packages that exist only in experimental.

Packages that exist in unstable will frequently be picked up by other distributions and included in their ostensibly stable releases, often automatically and often ignoring RC bugs (the most obvious example is
Ubuntu universe, which automatically includes every package from Debian unstable at the time of Ubuntu's freeze unless specifically configured
not to), so I would recommend experimental for this purpose.

While liboqs is not intended for normal production use because of
certain properties, it is useful for its designated purposes of
experiments and testing. I think we somehow conflate these two,
thinking that everything in a Debian stable release MUST be intended for >secure production use.

Debian stable is exactly for production use, and software that is only
suitable for experiments and testing seems out-of-scope for stable, at
least to me. I think we could benefit from having a better place for
software (especially leaf packages) that is compatible with stable, and intended to be used alongside stable, but is not, itself, stable; or
perhaps that's already fasttrack.debian.net.

If a liboqs maintainer wants to make a trixie-compatible version of
liboqs available, experimental + trixie-fasttrack would be one possible
setup. That's what I'm intending to do for openjk, a game engine that
has never had an upstream release and quite possibly never will.

smcv

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Simon McVittie <[email protected]> [250724 10:38]:

On Wed, 23 Jul 2025 at 23:53:58 +0200, Simon Josefsson wrote:

Is it forbidden for packages to exist in unstable and/or experimental
only in Debian?

It is allowed. firefox (the non -esr version) and wine-development are >examples of packages that exist only in unstable (with a RC bug to
stop them from migrating to testing), while libsdl3-mixer and openjk
are examples of packages that exist only in experimental.

Packages that exist in unstable will frequently be picked up by other >distributions and included in their ostensibly stable releases, often >automatically and often ignoring RC bugs (the most obvious example is
Ubuntu universe, which automatically includes every package from
Debian unstable at the time of Ubuntu's freeze unless specifically
configured not to), so I would recommend experimental for this
purpose.

Also for Debian itself it is beneficial if such packages don't land
in unstable. For one, it avoids other packages using them to build
(when they then cannot migrate). And it keeps the QA list down.

Thanks,
Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Simon McVittie <[email protected]> writes:

On Wed, 23 Jul 2025 at 23:53:58 +0200, Simon Josefsson wrote:

Is it forbidden for packages to exist in unstable and/or experimental
only in Debian?

It is allowed. firefox (the non -esr version) and wine-development are examples of packages that exist only in unstable (with a RC bug to
stop them from migrating to testing), while libsdl3-mixer and openjk
are examples of packages that exist only in experimental.

Thanks for confirming! This aspect wasn't terribly clear to me. Is it discussed in any policy document?

While liboqs is not intended for normal production use because of
certain properties, it is useful for its designated purposes of
experiments and testing. I think we somehow conflate these two,
thinking that everything in a Debian stable release MUST be intended for >>secure production use.

Debian stable is exactly for production use

There are plenty of things in debian stable clearly marked as unsuitable
for critical use - most of the Go and Rust ecosystems, but many other
packages too. Or am I missing something?

Maybe it is the definition of "production use" that is what is at heart
here. Production use of software X for user A may be completely frown
upon for user B because they have different use-cases in mind that it
doesn't meet desirable properties. I don't think unsuitability for one use-case is motivation enough to ban a package from stable and/or
unstable.

/Simon

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmiB/jQUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFoiOtAQCKE+SXCKpv 8xufTk6HS3u1JOGShB7hPLVnA/goewOkWgEAmiH17FjTd2Yp7VGUj4wZHz//ZEt6 LvlTZ5LfDk9x0Qc=
=1SWt
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)