Comment 1 Jan Beich 2016-11-02 23:09:11 UTC

(In reply to Martin Birgmeier from comment #0)
> While this has the advantage of quickly exposing new features to the
> general public,

It also means quickly fixing security vulnerabilities that upstream hasn't yet published but the bad guys may already be using or can deduce from individual commits.

> it also means that potentially unstable code is being distributed.

Such code can end up in releases as well, otherwise there'd be only one major version each iteration (6 weeks). Not to mention any major Firefox release is potentially unstable because upstream considers FreeBSD a Tier3 platform i.e., no one is assigned to check for our regressions. And I'm not interested in debugging broken builds, crashes or runtime regressions specific to old versions.

If you want the most stability maybe switch to www/firefox-esr.

> Furthermore, this is done in a rather intransparent way, as one cannot
> deduce from the version designation that a release candidate has
> actually been installed.

A release candidate may be promoted to an actual release in which case the distfile wouldn't change, so the package has to stay the same. If a new one appears before release, PORTREVISION is bumped. So, users shouldn't try to deduce versions in order to skip some but upgrade packages regularly.

> A further disadvantage is the rapid succession of new releases with little
> relevant changes requiring frequent updates.

www/firefox has PORTREVISION bumped often for other reasons as well e.g., 49.* had ports r421532 ports r422464, ports r422465, ports r422711, ports r422956 or ports r423591. Our quaterly branches (e.g. 2016Q4) are better suited for users that want less frequent updates. But thanks for reminding me I shouldn't merge candidates there.

www/firefox-esr rarely has non-build1 candidates as ESR branch isn't supposed to carry anything but bug and security fixes. If it has more candidates then something was rushed through upstream QA process which makes the update more risky.

> I therefore propose to split off -devel versions of these ports where
> users who want to stay on the bleeding edge are served the release
> candidates as is currently done on the main ports. The main ports
> themselves should revert to only upgrading to truly released versions.

-devel suffix is for ports that snapshot development branch i.e., mozilla-central in this case. What you probably meant is -beta but release candidates are more are of its own flavor. However, I don't plan to create new gecko@ ports as it'd increase maintenance. Some refactoring needs to happen first in order to increase bus factor and expand the team.

Thank you for these remarks.

I understand that maintaining separate -beta ports is too time-consuming. Maybe it would still be possible to just not include the release candidates in the release cycles for these ports as was done previously, or maybe add a flag which allows to easily skip upgrading of the port as long as it is based on a release candidate - although that might need a change in the port make infrastructure (and probably portmaster, too).

In any case I want to add that I really appreciate how well these essential ports are maintained, and how quickly you resolve any issues (I submitted one myself not too long ago).

-- Martin

Comment 3 Walter Schwarzenfeld 2018-01-14 03:29:40 UTC

Seems answered. Could this closed?

Maintainer does not like the idea, so let's close this PR.