Re: [Tails-dev] Tails vs Electrum

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: s7r, tails-dev
Subject: Re: [Tails-dev] Tails vs Electrum
Hi,

s7r:
> On my last discussion with Electrum's Debian maintainer, he said that
> there are dependencies that are not in Debian yet, and have to go
> through new, etc. and there are huge chances that we won't be able to
> have it in Buster. python3-zbar for example, some hardware wallet
> libraries, etc.


My understanding is that these are optional dependencies for bonus
features, but Electrum base functionality works just fine with it.
E.g. the 3.2.3-1 package has:

Suggests: python3-btchip, python3-trezor, python3-zbar

Correct? Or are there *hard*-dependencies missing in Debian at the moment?

> Let's pretend we make somehow some magic and package everything in
> Debian so we have Electrum 3.3.4 running in stable. We appear to be OK
> for the time being. But, who knows what the next attack will be, or what
> will happen, and then we'll end up in the same situation, that there's a
> new version we don't have in `stable-backports`. And we need it urgently
> because the one we have doesn't work any more, or it's vulnerable, or
> etc. Actually, it is already _3rd time_ we are in this situation.


I think there's a misunderstanding about the ways available to package
maintainers, in order to fix critical issues in stable backports.
It can be done in two ways:

  - Either go through sid → testing → backports: generally 5 days;
    even less if the package includes autopkgtests.


  - Skipping testing i.e. sid → backports, for security issues or
    other critical problems, as an exception. All this can happen on
    the same day as a new upstream release. For details, see:
    https://backports.debian.org/Contribute/


In other words, assuming a package maintainer is available to get the
fix in backports, there's no policy or technical reason that prevents
them from doing so very quickly.

Things are a bit different during a Debian freeze. We could ship
a Tails-specific backport whenever Debian policies (as opposed to
maintainer availability) are the only blocker to get the fixes we need
into stable backports. That can be the case for a few months every
2 years, such as… right now.

Cheers,
--
intrigeri