(tl;dr:
if you have a few minutes, please add information here)
Joss,
the problem with the new package formats is that there is nothing that actually uses the additional information in a way that adds significant new functionality, so the net result of the change was that we throw away the information at a different layer in our software stack, and one of the interfaces got a lot more complicated in the process.
One possible application would be a "poor man's patch tracking" inside the BTS, perhaps with a new state "fixed in patch".
I can see two ways of implementing that:
- by extending the interface of the "new" package formats that Debian,Ubuntu bug numbers are attached to the actual patch files and having the archive maintenance software extract and process that information (reject packages that add a patch for a bug without closing it in the changelog, notify the BTS), or
- by leaving the package format untouched and simply adding a regex matching "Fixes: #nnnnnn" that is reported to the BTS as "we have added a patch", so the submitter is notified that the bug is gone for him/her; the bug is then closed in the changelog of the upload removing the patch.
The former approach also allows us to link to patches from BTS pages, which the latter doesn't, so there could be actual benefit here if we believe it is worth the additional complexity.
(Update:
Rapha l thinks it is. I like the idea of a package format with separate patches a lot more in this context than I
did without it, but still my fear that it will actually be perceived as sanctioning large patchsets still remains.)
About mandatory co-maintenance: the problem isn't "helping". We have plenty of people with commit access to packages they don't even remotely understand who are really helpful (not). The problem is that someone needs to actually
read all the commit logs and understand what the changes do in this context. In most cases, that person or group would be upstream, not a DD.
My first impression after reading the patch was "adding uninitialized data to the entropy pool is pointless/harmful as it is not random, so this patch makes sense", because the loop around it was not contained in the patch. Obviously I'm not an OpenSSL developer.
There is nothing Debian could have done internally to verify the correctness of this patch that would properly scale to the entire archive, even if we put "more emphasis on security". The only solution I see is reporting every patch to upstream immediately and getting affirmation that it is correct.
This, however means that we need to produce patches that upstream can accept. For obvious code bugs, that is simple, but for integration patches like paths it is not sufficient to replace one string with another, but rather make it configurable in some place that can be reached from debian/rules.
In an ideal world, we end up with very few Debian specific patches, so essentially
we are talking about adding functionality to dpkg that we don't want to use.
I've started a page in the Debian Wiki,
Getting Packaged with an outline of a possible document aimed at upstream developers that should list the typical problems we run into and how to avoid them.