/[ddp]/manuals/trunk/developers-reference/pkgs.dbk

Diff of /manuals/trunk/developers-reference/pkgs.dbk

Parent Directory | Revision Log | View Patch Patch

-revision 5231 by he,
Fri Jun 13 07:36:29 2008 UTC
+revision 6761 by lucas,
Thu Jun 25 20:42:18 2009 UTC
 Line 28 
 description of the package, the license
  current URL where it can be downloaded from.
  </para>
  <para>
- You should set the subject of the bug to ``ITP: <replaceable>foo</replaceable>
+ You should set the subject of the bug to <literal>ITP:
- -- <replaceable>short description</replaceable>'', substituting the name of the
+ <replaceable>foo</replaceable> -- <replaceable>short
- new package for <replaceable>foo</replaceable>.  The severity of the bug report
+ description</replaceable></literal>, substituting the name of the new
- must be set to <literal>wishlist</literal>.  If you feel it's necessary, send
+ package for <replaceable>foo</replaceable>.
- a copy to &email-debian-devel; by putting the address in the
+ The severity of the bug report must be set to <literal>wishlist</literal>.
- <literal>X-Debbugs-CC:</literal> header of the message (no, don't use
+ Please send a copy to &email-debian-devel; by using the X-Debbugs-CC
- <literal>CC:</literal>, because that way the message's subject won't indicate
+ header (don't use CC:, because that way the message's subject won't
- the bug number).
+ indicate the bug number). If you are packaging so many new packages (>10)
+ that notifying the mailing list in seperate messages is too disruptive,
+ do send a summary after filing the bugs to the debian-devel list instead.
+ This will inform the other developers about upcoming packages and will
+ allow a review of your description and package name.
  </para>
  <para>
  Please include a <literal>Closes:
-Line 44 
 new package in order for the bug report
+Line 48 
 new package in order for the bug report
  package is installed in the archive (see <xref linkend="upload-bugfix"/> ).
  </para>
  <para>
+ If you think your package needs some explanations for the administrators of the
+ NEW package queue, include them in your changelog, send to ftpmaster@debian.org
+ a reply to the email you receive as a maintainer after your upload, or reply to
+ the rejection email in case you are already re-uploading.
+ </para>
+ <para>
  When closing security bugs include CVE numbers as well as the Closes: #nnnnn.
  This is useful for the security team to track vulnerabilities.  If an upload is
  made to fix the bug before the advisory ID is known, it is encouraged to modify
-Line 397 
 the Debian package <xref linkend="dcut"/
+Line 407 
 the Debian package <xref linkend="dcut"/
  <section id="delayed-incoming">
  <title>Delayed uploads</title>
  <para>
- Delayed uploads are done for the moment via the delayed queue at <literal>gluck
+ It is sometimes useful to upload a package immediately, but to want this
- </literal>. The upload-directory is
+ package to arrive in the archive only a few days later. For example,
- <literal>gluck:~tfheen/DELAYED/[012345678]-day</literal>. 0-day is uploaded
+ when preparing a <link linkend="nmu">Non-maintainer Upload</link>,
- multiple times per day to <literal>&ftp-master-host;</literal>.
+ you might want to give the maintainer a few days to react.
- </para>
- <para>
- With a fairly recent dput, this section
  </para>
- <screen>
- [tfheen_delayed]
- method = scp
- fqdn = gluck.debian.org
- incoming = ~tfheen
- </screen>
  <para>
- in <filename>~/.dput.cf</filename> should work fine for uploading to the
+ An upload to the delayed directory keeps the package in
- <literal>DELAYED</literal> queue.
+ <ulink url="http://ftp-master.debian.org/deferred.html">
+ the deferred uploads queue"</ulink>.
+ When the specified waiting time is over, the package is moved into
+ the regular incoming directory for processing.
+ This is done through automatic uploading to
+ <literal>&ftp-master-host;</literal> in upload-directory
+ <literal>DELAYED/[012345678]-day</literal>. 0-day is uploaded
+ multiple times per day to <literal>&ftp-master-host;</literal>.
  </para>
  <para>
- <emphasis>Note:</emphasis> Since this upload queue goes to
+ With dput, you can use the <literal>--delayed <replaceable>DELAY</replaceable></literal>
- <literal>&ftp-master-host;</literal>, the prescription found in <xref
+ parameter to put the package into one of the queues.
- linkend="upload-ftp-master"/> applies here as well.
  </para>
  </section>
-Line 824 
 outstanding security problems, helping m
+Line 833 
 outstanding security problems, helping m
  fixing them themselves, sending security advisories, and maintaining
  <literal>security.debian.org</literal>.
  </para>
- <!-- information about the security database goes here once it's ready -->
- <!-- (mdz) -->
  <para>
  When you become aware of a security-related bug in a Debian package, whether or
  not you are the maintainer, collect pertinent information about the problem,
  and promptly contact the security team at
  &email-security-team; as soon as possible.  <emphasis
- role="strong">DO NOT UPLOAD</emphasis> any packages for <literal>stable</literal>;
+ role="strong">DO NOT UPLOAD</emphasis> any packages for <literal>stable</literal>
-  the security team will do that.  Useful information includes, for example:
+ without contacting the team.  Useful information includes, for example:
  </para>
  <itemizedlist>
  <listitem>
-Line 867 
 linkend="bug-security-advisories"/> )
+Line 874 
 linkend="bug-security-advisories"/> )
  </para>
  </listitem>
  </itemizedlist>
+ <para>As the maintainer of the package, you have the responsibility to
+ maintain it, even in the stable release. You are in the best position
+ to evaluate patches and test updated packages, so please see the sections
+ below on how to prepare packages for the Security Team to handle.</para>
+ <section id="bug-security-tracker">
+ <title>The Security Tracker</title>
+ <para>
+ The security team maintains a central database, the
+ <ulink url="http://security-tracker.debian.net/">Debian Security Tracker</ulink>.
+ This contains all public information that is known about security issues:
+ which packages and versions are affected or fixed, and thus whether stable,
+ testing and/or unstable are vulnerable. Information that is still confidential
+ is not added to the tracker.
+ </para>
+ <para>
+ You can search it for a specific issue, but also on package name. Look
+ for your package to see which issues are still open. If you can, please provide
+ more information about those issues, or help to address them in your package.
+ Instructions are on the tracker web pages.
+ </para>
+ </section>
  <section id="bug-security-confidentiality">
  <title>Confidentiality</title>
  <para>
-Line 936 
 There are two reasons for releasing info
+Line 966 
 There are two reasons for releasing info
  requested: the problem has been known for a while, or the problem or exploit
  has become public.
  </para>
+ <para>
+ The Security Team has a PGP-key to enable encrypted communication about
+ sensitive issues. See the <ulink url="http://www.debian.org/security/faq.en.html#contact">Security Team FAQ</ulink> for details.
+ </para>
  </section>
  <section id="bug-security-advisories">
-Line 1072 
 Be sure to verify the following items:
+Line 1106 
 Be sure to verify the following items:
  <itemizedlist>
  <listitem>
  <para>
- Target the right distribution in your <filename>debian/changelog</filename>.
+ <emphasis role="strong">Target the right distribution</emphasis>
+ in your <filename>debian/changelog</filename>.
  For <literal>stable</literal> this is <literal>stable-security</literal> and
  for testing this is <literal>testing-security</literal>, and for the previous
  stable release, this is <literal>oldstable-security</literal>.  Do not target
-Line 1082 
 stable release, this is <literal>oldstab
+Line 1117 
 stable release, this is <literal>oldstab
  </listitem>
  <listitem>
  <para>
- The upload should have urgency=high.
+ The upload should have <emphasis role="strong">urgency=high</emphasis>.
  </para>
  </listitem>
  <listitem>
  <para>
  Make descriptive, meaningful changelog entries.  Others will rely on them to
- determine whether a particular bug was fixed.  Always include an external
+ determine whether a particular bug was fixed.  Add <literal>closes:</literal>
- reference, preferably a CVE identifier, so that it can be cross-referenced.
+ statements for any <emphasis role="strong">Debian bugs</emphasis> filed.
- Include the same information in the changelog for <literal>unstable</literal>,
+ Always include an external reference, preferably a <emphasis role="strong">CVE
- so that it is clear
+ identifier</emphasis>, so that it can be cross-referenced. However, if a CVE
- that the same bug was fixed, as this is very helpful when verifying that the
+ identifier has not yet been assigned, do not wait for it but continue the
- bug is fixed in the next stable release.  If a CVE identifier has not yet been
+ process. The identifier can be cross-referenced later.
- assigned, the security team will request one so that it can be included in the
- package and in the advisory.
  </para>
  </listitem>
  <listitem>
  <para>
- Make sure the version number is proper.  It must be greater than the current
+ Make sure the <emphasis role="strong">version number</emphasis> is proper.
- package, but less than package versions in later distributions.  If in doubt,
+ It must be greater than the current package, but less than package versions in
- test it with <literal>dpkg --compare-versions</literal>.  Be careful not to
+ later distributions.  If in doubt, test it with <literal>dpkg
- re-use a version number that you have already used for a previous upload.  For
+ --compare-versions</literal>.  Be careful not to re-use a version number that
- <literal>testing</literal>, there must be a higher version in
+ you have already used for a previous upload, or one that conflicts with a
- <literal>unstable</literal>.  If there is none yet (for example, if
+ binNMU. The convention is to append
- <literal>testing</literal> and <literal>unstable</literal> have the same
+ <literal>+</literal><replaceable>codename</replaceable><literal>1</literal>, e.g.
- version) you must upload a new version to <literal>unstable</literal> first.
+ <literal>1:2.4.3-4+etch1</literal>, of course increasing 1 for any subsequent
- </para>
+ uploads.
- </listitem>
- <listitem>
- <para>
- Do not make source-only uploads if your package has any binary-all packages (do
- not use the <literal>-S</literal> option to
- <command>dpkg-buildpackage</command>).  The <command>buildd</command>
- infrastructure will not build those.  This point applies to normal package
- uploads as well.
  </para>
  </listitem>
  <listitem>
  <para>
  Unless the upstream source has been uploaded to <literal>security.debian.org
- </literal> before (by a previous security update), build the upload with full
+ </literal> before (by a previous security update), build the upload <emphasis
- upstream source (<literal>dpkg-buildpackage -sa</literal>).  If there has been
+ role="strong">with full upstream source</emphasis> (<literal>dpkg-buildpackage
- a previous upload to <literal>security.debian.org</literal> with the same
+ -sa</literal>).  If there has been a previous upload to
- upstream version, you may upload without upstream source (<literal>
+ <literal>security.debian.org</literal> with the same upstream version, you may
- dpkg-buildpackage -sd</literal>).
+ upload without upstream source (<literal> dpkg-buildpackage -sd</literal>).
  </para>
  </listitem>
  <listitem>
  <para>
- Be sure to use the exact same <filename>*.orig.tar.gz</filename> as used in the
+ Be sure to use the <emphasis role="strong">exact same
+ <filename>*.orig.tar.gz</filename></emphasis> as used in the
  normal archive, otherwise it is not possible to move the security fix into the
  main archives later.
  </para>
  </listitem>
  <listitem>
  <para>
- Build the package on a clean system which only has packages installed from the
+ Build the package on a <emphasis role="strong">clean system</emphasis> which only
- distribution you are building for.  If you do not have such a system yourself,
+ has packages installed from the distribution you are building for. If you do not
- you can use a debian.org machine (see <xref linkend="server-machines"/> ) or
+ have such a system yourself, you can use a debian.org machine (see
- setup a chroot (see <xref linkend="pbuilder"/> and <xref
+ <xref linkend="server-machines"/> ) or setup a chroot (see
- linkend="debootstrap"/> ).
+ <xref linkend="pbuilder"/> and <xref linkend="debootstrap"/> ).
  </para>
  </listitem>
  </itemizedlist>
-Line 1175 
 archives.  For security uploads, the pla
+Line 1201 
 archives.  For security uploads, the pla
  </para>
  <para>
  Once an upload to the security queue has been accepted, the package will
- automatically be rebuilt for all architectures and stored for verification by
+ automatically be built for all architectures and stored for verification by
  the security team.
  </para>
  <para>
-Line 1764 
 also enable Debian to recompile entire d
+Line 1790 
 also enable Debian to recompile entire d
  The buildds admins of each arch can be contacted at the mail address
  <literal><replaceable>arch</replaceable>@buildd.debian.org</literal>.
  </para>
+ <para>
+ Since the Release team also has access to wanna-build,
+ it has become common practice to ask them to perform actions such as
+ the recompilation of packages (binNMUs, see <xref linkend="binary-only-nmu"/>)
+ or the retry of failed builds (give-backs).
+ The format to use when requesting such actions is described at
+ <ulink url="&url-release-wb;"/>.
+ </para>
  </section>
  </section>
-Line 1825 
 role="package">ftp.debian.org</systemite
+Line 1861 
 role="package">ftp.debian.org</systemite
  <section id="nmu">
  <title>Non-Maintainer Uploads (NMUs)</title>
  <para>
- Under certain circumstances it is necessary for someone other than the official
+ Every package has one or more maintainers. Normally, these are the people who
- package maintainer to make a release of a package.  This is called a
+ work on and upload new versions of the package. In some situations, it is
- non-maintainer upload, or NMU.
+ useful that other developers can upload a new version as well, for example if
- </para>
+ they want to fix a bug in a package they don't maintain, when the maintainer
- <para>
+ needs help to respond to issues.  Such uploads are called
- This section handles only source NMUs, i.e.  NMUs which upload a new version of
+ <emphasis>Non-Maintainer Uploads (NMU)</emphasis>.
- the package.  For binary-only NMUs by porters or QA members, please see <xref
- linkend="binary-only-nmu"/> .  If a buildd builds and uploads a package, that
- too is strictly speaking a binary NMU.  See <xref linkend="wanna-build"/> for
- some more information.
- </para>
- <para>
- The main reason why NMUs are done is when a developer needs to fix another
- developer's package in order to address serious problems or crippling bugs or
- when the package maintainer is unable to release a fix in a timely fashion.
- </para>
- <para>
- First and foremost, it is critical that NMU patches to source should be as
- non-disruptive as possible.  Do not do housekeeping tasks, do not change the
- name of modules or files, do not move directories; in general, do not fix
- things which are not broken.  Keep the patch as small as possible.  If things
- bother you aesthetically, talk to the Debian maintainer, talk to the upstream
- maintainer, or submit a bug.  However, aesthetic changes must
- <emphasis>not</emphasis> be made in a non-maintainer upload.
- </para>
- <para>
- And please remember the Hippocratic Oath: Above all, do no harm.  It is better
- to leave a package with an open grave bug than applying a non-functional patch,
- or one that hides the bug instead of resolving it.
  </para>
  <section id="nmu-guidelines">
- <title>How to do a NMU</title>
+ <title>When and how to do an NMU</title>
- <para>
- NMUs which fix important, serious or higher severity bugs are encouraged and
- accepted.  You should endeavor to reach the current maintainer of the package;
- they might be just about to upload a fix for the problem, or have a better
- solution.
- </para>
- <para>
- NMUs should be made to assist a package's maintainer in resolving bugs.
- Maintainers should be thankful for that help, and NMUers should respect the
- decisions of maintainers, and try to personally help the maintainer by their
- work.
- </para>
  <para>
- A NMU should follow all conventions, written down in this section.  For an
+ Before doing an NMU, consider the following questions:
- upload to <literal>testing</literal> or <literal>unstable</literal>, this
- order of steps is recommended:
  </para>
  <itemizedlist>
  <listitem>
  <para>
- Make sure that the package's bugs that the NMU is meant to address are all
+ Does your NMU really fix bugs? Fixing cosmetic issues or changing the
- filed in the Debian Bug Tracking System (BTS).  If they are not, submit them
+ packaging style in NMUs is discouraged.
- immediately.
  </para>
  </listitem>
  <listitem>
  <para>
- Wait a few days for the response from the maintainer.  If you don't get any
+ Did you give enough time to the maintainer? When was the bug reported to the
- response, you may want to help them by sending the patch that fixes the bug.
+ BTS? Being busy for a week or two isn't unusual.  Is the bug so severe that it
- Don't forget to tag the bug with the patch keyword.
+ needs to be fixed right now, or can it wait a few more days?
  </para>
  </listitem>
  <listitem>
  <para>
- Wait a few more days.  If you still haven't got an answer from the maintainer,
+ How confident are you about your changes? Please remember the Hippocratic Oath:
- send them a mail announcing your intent to NMU the package.  Prepare an NMU as
+ "Above all, do no harm." It is better to leave a package with an open grave bug
- described in this section, and test it carefully on your machine (cf.  <xref
+ than applying a non-functional patch, or one that hides the bug instead of
- linkend="sanitycheck"/> ).  Double check that your patch doesn't have any
+ resolving it. If you are not 100% sure of what you did, it might be a good idea
- unexpected side effects.  Make sure your patch is as small and as
+ to seek advice from others. Remember that if you break something in your NMU,
- non-disruptive as it can be.
+ many people will be very unhappy about it.
  </para>
  </listitem>
  <listitem>
  <para>
- Upload your package to incoming in <filename>DELAYED/7-day</filename> (cf.
+ Have you clearly expressed your intention to NMU, at least in the BTS?
- <xref linkend="delayed-incoming"/> ), send the final patch to the maintainer
+ It is also a good idea to try to contact the
- via the BTS, and explain to them that they have 7 days to react if they want to
+ maintainer by other means (private email, IRC).
- cancel the NMU.
  </para>
  </listitem>
  <listitem>
  <para>
- Follow what happens, you're responsible for any bug that you introduced with
+ If the maintainer is usually active and responsive, have you tried to contact
- your NMU.  You should probably use <xref linkend="pkg-tracking-system"/> (PTS)
+ him? In general it should be considered preferable that a maintainer takes care
- to stay informed of the state of the package after your NMU.
+ of an issue himself and that he is given the chance to review and correct your
+ patch, because he can be expected to be more aware of potential issues which an
+ NMUer might miss. It is often a better use of everyone's time if the maintainer
+ is given an opportunity to upload a fix on their own.
  </para>
  </listitem>
  </itemizedlist>
  <para>
- At times, the release manager or an organized group of developers can announce
+ When doing an NMU, you must first make sure that your intention to NMU is
- a certain period of time in which the NMU rules are relaxed.  This usually
+ clear.  Then, you must send a patch with the differences between the
- involves shortening the period during which one is to wait before uploading the
+ current package and your proposed NMU to the BTS. The
- fixes, and shortening the DELAYED period.  It is important to notice that even
+ <literal>nmudiff</literal> script in the <literal>devscripts</literal> package
- in these so-called bug squashing party times, the NMU'er has to file bugs and
+ might be helpful.
- contact the developer first, and act later.  Please see <xref
+ </para>
- linkend="qa-bsp"/> for details.
+ <para>
- </para>
+ While preparing the patch, you should better be aware of any package-specific
- <para>
+ practices that the maintainer might be using. Taking them into account reduces
- For the <literal>testing</literal> distribution, the rules may be changed by
+ the burden of getting your changes integrated back in the normal package
- the release managers.  Please take additional care, and acknowledge that the
+ workflow and thus increases the possibilities that that will happen. A good
- usual way for a package to enter <literal>testing</literal> is through
+ place where to look for for possible package-specific practices is
- <literal>unstable</literal>.
+ <ulink url="&url-debian-policy;ch-source.html#s-readmesource"><literal>debian/README.source</literal></ulink>.
  </para>
  <para>
- For the stable distribution, please take extra care.  Of course, the release
+ Unless you have an excellent reason not to do so, you must then give some time
- managers may also change the rules here.  Please verify before you upload that
+ to the maintainer to react (for example, by uploading to the
- all your changes are OK for inclusion into the next stable release by the
+ <literal>DELAYED</literal> queue).  Here are some recommended values to use for delays:
- release manager.
  </para>
+ <itemizedlist>
+ <listitem>
  <para>
- When a security bug is detected, the security team may do an NMU, using their
+ Upload fixing only release-critical bugs older than 7 days: 2 days
- own rules.  Please refer to <xref linkend="bug-security"/> for more
- information.
  </para>
+ </listitem>
+ <listitem>
  <para>
- For the differences for Porters NMUs, please see <xref
+ Upload fixing only release-critical and important bugs: 5 days
- linkend="source-nmu-when-porter"/> .
  </para>
+ </listitem>
+ <listitem>
  <para>
- Of course, it is always possible to agree on special rules with a maintainer
+ Other NMUs: 10 days
- (like the maintainer asking please upload this fix directly for me, and no diff
- required).
  </para>
- </section>
+ </listitem>
+ </itemizedlist>
- <section id="nmu-version">
- <title>NMU version numbering</title>
- <para>
- Whenever you have made a change to a package, no matter how trivial, the
- version number needs to change.  This enables our packing system to function.
- </para>
  <para>
- If you are doing a non-maintainer upload (NMU), you should add a new minor
+ Those delays are only examples. In some cases, such as uploads fixing security
- version number to the <replaceable>debian-revision</replaceable> part of the
+ issues, or fixes for trivial bugs that blocking a transition, it is desirable
- version number (the portion after the last hyphen).  This extra minor number
+ that the fixed package reaches <literal>unstable</literal> sooner.
- will start at `1'.  For example, consider the package `foo', which is at
- version 1.1-3.  In the archive, the source package control file would be
- <filename>foo_1.1-3.dsc</filename>.  The upstream version is `1.1' and the
- Debian revision is `3'.  The next NMU would add a new minor number `.1' to the
- Debian revision; the new source control file would be
- <filename>foo_1.1-3.1.dsc</filename>.
  </para>
  <para>
- The Debian revision minor number is needed to avoid stealing one of the package
+ Sometimes, release managers decide to allow NMUs with shorter delays for a
- maintainer's version numbers, which might disrupt their work.  It also has the
+ subset of bugs (e.g release-critical bugs older than 7 days). Also, some
- benefit of making it visually clear that a package in the archive was not made
+ maintainers list themselves in the <ulink url="&url-low-threshold-nmu;">Low
- by the official maintainer.
+ Threshold NMU list</ulink>, and accept that NMUs are uploaded without delay. But
+ even in those cases, it's still a good idea to give the maintainer a few days
+ to react before you upload, especially if the patch wasn't available in the BTS
+ before, or if you know that the maintainer is generally active.
  </para>
  <para>
- If there is no <replaceable>debian-revision</replaceable> component in the
+ After you upload an NMU, you are responsible for the possible problems that you
- version number then one should be created, starting at `0.1' (but in case of a
+ might have introduced. You must keep an eye on the package (subscribing to the
- debian native package still upload it as native package).  If it is absolutely
+ package on the PTS is a good way to achieve this).
- necessary for someone other than the usual maintainer to make a release based
- on a new upstream version then the person making the release should start with
- the <replaceable>debian-revision</replaceable> value `0.1'.  The usual
- maintainer of a package should start their
- <replaceable>debian-revision</replaceable> numbering at `1'.
  </para>
  <para>
- If you upload a package to <literal>testing</literal> or <literal>stable
+ This is not a license to perform NMUs thoughtlessly.  If you NMU when it is
- </literal>, sometimes, you need to fork the version number tree.  For this,
+ clear that the maintainers are active and would have acknowledged a patch in a
- version numbers like 1.1-3sarge0.1 could be used.
+ timely manner, or if you ignore the recommendations of this document, your
+ upload might be a cause of conflict with the maintainer.
+ You should always be prepared to
+ defend the wisdom of any NMU you perform on its own merits.
  </para>
  </section>
  <section id="nmu-changelog">
- <title>Source NMUs must have a new changelog entry</title>
+ <title>NMUs and debian/changelog</title>
  <para>
- Anyone who is doing a source NMU must create a changelog entry, describing
+ Just like any other (source) upload, NMUs must add an entry to
- which bugs are fixed by the NMU, and generally why the NMU was required and
+ <literal>debian/changelog</literal>, telling what has changed with this
- what it fixed.  The changelog entry will have the email address of the person
+ upload.  The first line of this entry must explicitely mention that this upload is an NMU, e.g.:
- who uploaded it in the log entry and the NMU version number in it.
- </para>
- <para>
- By convention, source NMU changelog entries start with the line
  </para>
  <screen>
-   * Non-maintainer upload
+   * Non-maintainer upload.
  </screen>
- </section>
- <section id="nmu-patch">
- <title>Source NMUs and the Bug Tracking System</title>
  <para>
- Maintainers other than the official package maintainer should make as few
+ The way to version NMUs differs for native and non-native packages.
- changes to the package as possible, and they should always send a patch as a
- unified context diff (<literal>diff -u</literal>) detailing their changes to
- the Bug Tracking System.
  </para>
  <para>
- What if you are simply recompiling the package?  If you just need to recompile
+ If the package is a native package (without a debian revision in the version number),
- it for a single architecture, then you may do a binary-only NMU as described in
+ the version must be the version of the last maintainer upload, plus
- <xref linkend="binary-only-nmu"/> which doesn't require any patch to be sent.
+ <literal>+nmu<replaceable>X</replaceable></literal>, where
- If you want the package to be recompiled for all architectures, then you do a
+ <replaceable>X</replaceable> is a counter starting at <literal>1</literal>.
- source NMU as usual and you will have to send a patch.
+ If
+ the last upload was also an NMU, the counter should be increased.  For example,
+ if the current version is <literal>1.5</literal>, then an NMU would get
+ version <literal>1.5+nmu1</literal>.
+ </para>
+ <para>
+ If the package is a not a native package, you should add a minor version number
+ to the debian revision part of the version number (the portion after the last
+ hyphen). This extra number must start at 1.  For example,
+ if the current version is <literal>1.5-2</literal>, then an NMU would get
+ version <literal>1.5-2.1</literal>. If a new upstream version
+ is packaged in the NMU, the debian revision is set to <literal>0</literal>, for
+ example <literal>1.6-0.1</literal>.
+ </para>
+ <para>
+ In both cases, if the last upload was also an NMU, the counter should
+ be increased. For example, if the current version is
+ <literal>1.5+nmu3</literal> (a native package which has already been
+ NMUed), the NMU would get version <literal>1.5+nmu4</literal>.  .
+ </para>
+ <para>
+ A special versioning scheme is needed to avoid disrupting the maintainer's
+ work, since using an integer for the Debian revision will potentially
+ conflict with a maintainer upload already in preparation at the time of an
+ NMU, or even one sitting in the ftp NEW queue.
+ It also has the
+ benefit of making it visually clear that a package in the archive was not made
+ by the official maintainer.
+ </para>
+ <para>
+ If you upload a package to testing or stable, you sometimes need to "fork" the
+ version number tree. This is the case for security uploads, for example.  For
+ this, a version of the form
+ <literal>+deb<replaceable>XY</replaceable>u<replaceable>Z</replaceable></literal>
+ should be used, where <replaceable>X</replaceable> and
+ <replaceable>Y</replaceable> are the major and minor release numbers, and
+ <replaceable>Z</replaceable> is a counter starting at <literal>1</literal>.
+ When the release number is not yet known (often the case for
+ <literal>testing</literal>, at the beginning of release cycles), the lowest
+ release number higher than the last stable release number must be used.  For
+ example, while Etch (Debian 4.0) is stable, a security NMU to stable for a
+ package at version <literal>1.5-3</literal> would have version
+ <literal>1.5-3+deb40u1</literal>, whereas a security NMU to Lenny would get
+ version <literal>1.5-3+deb50u1</literal>. After the release of Lenny, security
+ uploads to the <literal>testing</literal> distribution will be versioned
+ <literal>+deb51uZ</literal>, until it is known whether that release will be
+ Debian 5.1 or Debian 6.0 (if that becomes the case, uploads will be versioned
+ as <literal>+deb60uZ</literal>.
  </para>
+ </section>
+ <section id="nmu-delayed">
+ <title>Using the <literal>DELAYED/</literal> queue</title>
  <para>
- Bugs fixed by source NMUs used to be tagged fixed instead of closed, but since
+ Having to wait for a response after you request permission to NMU is
- version tracking is in place, such bugs are now also closed with the NMU
+ inefficient, because it costs the NMUer a context switch to come back to the
- version.
+ issue.
+ The <literal>DELAYED</literal> queue (see <xref linkend="delayed-incoming"/>)
+ allows the developer doing the NMU to perform all the necessary tasks at the
+ same time. For instance, instead of telling the maintainer that you will
+ upload the updated
+ package in 7 days, you should upload the package to
+ <literal>DELAYED/7</literal> and tell the maintainer that he has 7 days to
+ react.  During this time, the maintainer can ask you to delay the upload some
+ more, or cancel your upload.
  </para>
  <para>
- Also, after doing an NMU, you have to send the information to the existing bugs
+ The <literal>DELAYED</literal> queue should not be used to put additional
- that are fixed by your NMU, including the unified diff.  Historically, it was
+ pressure on the maintainer. In particular, it's important that you are
- custom to open a new bug and include a patch showing all the changes you have
+ available to cancel or delay the upload before the delay expires since the
- made.  The normal maintainer will either apply the patch or employ an alternate
+ maintainer cannot cancel the upload himself.
- method of fixing the problem.  Sometimes bugs are fixed independently upstream,
- which is another good reason to back out an NMU's patch.  If the maintainer
- decides not to apply the NMU's patch but to release a new version, the
- maintainer needs to ensure that the new upstream version really fixes each
- problem that was fixed in the non-maintainer release.
  </para>
  <para>
- In addition, the normal maintainer should <emphasis>always</emphasis> retain
+ If you make an NMU to <literal>DELAYED</literal> and the maintainer updates
- the entry in the changelog file documenting the non-maintainer upload -- and of
+ his package before the delay expires, your upload will be rejected because a
- course, also keep the changes.  If you revert some of the changes, please
+ newer version is already available in the archive.
- reopen the relevant bug reports.
+ Ideally, the maintainer will take care to include your proposed changes (or
+ at least a solution for the problems they address) in that upload.
  </para>
  </section>
- <section id="nmu-build">
+ <section id="nmu-maintainer">
- <title>Building source NMUs</title>
+ <title>NMUs from the maintainer's point of view</title>
  <para>
- Source NMU packages are built normally.  Pick a distribution using the same
+ When someone NMUs your package, this means they want to help you to keep it in
- rules as found in <xref linkend="distribution"/> , follow the other
+ good shape.  This gives users fixed packages faster.  You
- instructions in <xref linkend="upload"/> .
+ can consider asking the NMUer to become a co-maintainer of the package.
+ Receiving an NMU on a package is not a bad
+ thing; it just means that the package is interesting enough for other people to
+ work on it.
  </para>
  <para>
- Make sure you do <emphasis>not</emphasis> change the value of the maintainer in
+ To acknowledge an NMU, include its changes and changelog entry in your next
- the <filename>debian/control</filename> file.  Your name as given in the NMU
+ maintainer upload.  If you do not acknowledge the NMU by including the
- entry of the <filename>debian/changelog</filename> file will be used for
+ NMU changelog entry in your changelog, the bugs will remain closed in the
- signing the changes file.
+ BTS but will be listed as affecting your maintainer version of the package.
  </para>
  </section>
- <section id="ack-nmu">
+ <section id="nmu-binnmu">
- <title>Acknowledging an NMU</title>
+ <title>Source NMUs vs Binary-only NMUs (binNMUs)</title>
  <para>
- If one of your packages has been NMU'ed, you have to incorporate the changes in
+ The full name of an NMU is <emphasis>source NMU</emphasis>.  There is also
- your copy of the sources.  This is easy, you just have to apply the patch that
+ another type, namely the <emphasis>binary-only NMU</emphasis>, or
- has been sent to you.  Once this is done, you have to close the bugs that have
+ <emphasis>binNMU</emphasis>.  A binNMU is also a package upload by someone
- been tagged fixed by the NMU.  The easiest way is to use the
+ other than the package's maintainer.  However, it is a binary-only upload.
- <literal>-v</literal> option of <command>dpkg-buildpackage</command>, as this
- allows you to include just all changes since your last maintainer upload.
- Alternatively, you can close them manually by sending the required mails to the
- BTS or by adding the required <literal>closes: #nnnn</literal> in the changelog
- entry of your next upload.
  </para>
  <para>
- In any case, you should not be upset by the NMU.  An NMU is not a personal
+ When a library (or other dependency) is updated, the packages using it may need
- attack against the maintainer.  It is a proof that someone cares enough about
+ to be rebuilt.  Since no changes to the source are needed, the same source
- the package that they were willing to help you in your work, so you should be
+ package is used.
- thankful.  You may also want to ask them if they would be interested in helping
- you on a more frequent basis as co-maintainer or backup maintainer (see <xref
- linkend="collaborative-maint"/> ).
  </para>
- </section>
- <section id="nmu-vs-qa">
- <title>NMU vs QA uploads</title>
  <para>
- Unless you know the maintainer is still active, it is wise to check the package
+ BinNMUs are usually triggered on the buildds by wanna-build.
- to see if it has been orphaned.  The current list of orphaned packages which
+ An entry is added to debian/changelog,
- haven't had their maintainer set correctly is available at <ulink
+ explaining why the upload was needed and increasing the version number as
- url="&url-debian-qa-orphaned;"></ulink>.  If you perform an NMU on an
+ described in <xref linkend="binary-only-nmu"/>.
- improperly orphaned package, please set the maintainer to <literal>Debian QA Group
+ This entry should not be included in the next upload.
- &lt;packages@qa.debian.org&gt;</literal>.
  </para>
- </section>
- <section id="nmu-who">
- <title>Who can do an NMU</title>
  <para>
- Only official, registered Debian Developers can do binary or source NMUs.  A
+ Buildds upload packages for their architecture to the archive as binary-only
- Debian Developer is someone who has their key in the Debian key ring.
+ uploads.  Strictly speaking, these are binNMUs.  However, they are not normally
- Non-developers, however, are encouraged to download the source package and
+ called NMU, and they don't add an entry to debian/changelog.
- start hacking on it to fix problems; however, rather than doing an NMU, they
- should just submit worthwhile patches to the Bug Tracking System.  Maintainers
- almost always appreciate quality patches and bug reports.
  </para>
  </section>
- <section id="nmu-terms">
+ <section id="nmu-qa-upload">
- <title>Terminology</title>
+ <title>NMUs vs QA uploads</title>
  <para>
- There are two new terms used throughout this section: ``binary-only NMU'' and
+ NMUs are uploads of packages by somebody else than their assigned maintainer.
- ``source NMU''.  These terms are used with specific technical meaning
+ There is
- throughout this document.  Both binary-only and source NMUs are similar, since
+ another type of upload where the uploaded package is not yours: QA uploads. QA
- they involve an upload of a package by a developer who is not the official
+ uploads are uploads of orphaned packages.
- maintainer of that package.  That is why it's a
- <literal>non-maintainer</literal> upload.
  </para>
  <para>
- A source NMU is an upload of a package by a developer who is not the official
+ QA uploads are very much like normal maintainer uploads: they may fix anything,
- maintainer, for the purposes of fixing a bug in the package.  Source NMUs
+ even minor issues; the version numbering is normal, and there is no need to use
- always involves changes to the source (even if it is just a change to
+ a delayed upload.  The difference is that you are not listed as the Maintainer
- <filename>debian/changelog</filename>).  This can be either a change to the
+ or Uploader for the package.  Also, the changelog entry of a QA upload has a
- upstream source, or a change to the Debian bits of the source.  Note, however,
+ special first line:
- that source NMUs may also include architecture-dependent packages, as well as
- an updated Debian diff.
  </para>
+ <screen>
+  * QA upload.
+ </screen>
  <para>
- A binary-only NMU is a recompilation and upload of a binary package for a given
+ If you want to do an NMU, and it seems that the maintainer is not active, it is
- architecture.  As such, it is usually part of a porting effort.  A binary-only
+ wise to check if the package is orphaned
- NMU is a non-maintainer uploaded binary version of a package, with no source
+ (this information is displayed on the package's Package Tracking System page).
- changes required.  There are many cases where porters must fix problems in the
+ When doing the first QA upload to an
- source in order to get them to compile for their target architecture; that
+ orphaned package, the maintainer should be set to <literal>Debian QA Group
- would be considered a source NMU rather than a binary-only NMU.  As you can
+ &lt;packages@qa.debian.org&gt;</literal>.  Orphaned packages which did
- see, we don't distinguish in terminology between porter NMUs and non-porter
+ not yet have a QA upload still have their old maintainer set.  There is a list
- NMUs.
+ of them at <ulink url="&url-orphaned-not-qa;"/>.
  </para>
  <para>
- Both classes of NMUs, source and binary-only, can be lumped under the term
+ Instead of doing a QA upload, you can also consider adopting the package by
- ``NMU''.  However, this often leads to confusion, since most people think
+ making yourself the maintainer.  You don't need permission from anybody to
- ``source NMU'' when they think ``NMU''.  So it's best to be careful: always use
+ adopt an orphaned package, you can just set yourself as maintainer and upload
- ``binary NMU'' or ``binNMU'' for binary-only NMUs.
+ the new version (see <xref linkend="adopting"/>).
  </para>
  </section>
  </section>
-Line 2281 
 available in <literal>unstable</literal>
+Line 2322 
 available in <literal>unstable</literal>
  <listitem>
  <para>
  It must be available on all architectures on which it has previously been built
- in <literal>unstable</literal>.  <xref linkend="dak ls"/> may be of interest
+ in <literal>unstable</literal>.  <xref linkend="dak-ls"/> may be of interest
  to check that information;
  </para>
  </listitem>

 Legend:



Removed from v.5231
 


changed lines


 
Added in v.6761
 Legend:



Removed from v.5231
 


changed lines


 
Added in v.6761
-Removed from v.5231
+Added in v.6761

	ViewVC Help
Powered by ViewVC 1.1.5