[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#934948: Dropping dependencies to avoid extra binary package when same source package targets more than one environment

[copying debian-ruby]

On Wed, 18 Dec 2019 22:55:16 +0000 Simon McVittie <smcv@debian.org> wrote:

The technical committee has been asked to consider what level of binary
package granularity is appropriate for the src:ruby-task-list package,
and for similar packages that provide library code for more than one
language in the same upstream source release. This is advice under
§6.1(5) of the Debian constitution, and is not intended to overrule
any developers' decisions.
Thanks for the detailed response. I wonder if this could be documented in debian-policy or developers reference or some other suitable place.
> 3. For the specific case of src:ruby-task-list, which provides both a Ruby 
>   library and a JavaScript library, we suggest:
>
> * shipping both Ruby and JavaScript libraries in a single binary package
> * removing the dependency on the Ruby interpreter, unless there is a
>  reason why it is required
> * asking the maintainers of the Ruby libraries that ruby-task-list
> recursively depends on (such as ruby-rack) to remove *their* dependencies 
>  on the Ruby interpreter, unless there is a reason why it is required
Just confirming, this would mean ruby-rack (371 kB), ruby-activesupport (2,082 kB), ruby-html-pipeline (90.1 kB) getting installed even when only javascript library is required for an application. Since this will not be pulling an interpreter so waste of space and bandwidth is ignored in this case as it is not opening an attack vector (unlike the case when unrelated interpreter is installed). At least 7 MB packages (combined size of those mentioned recursive dependencies) will be installed when some one just wants to install a 8KB library.
And ruby-activesupport will pull ruby-concurrent (886 kB), ruby-i18n (38.5 kB), ruby-minitest (150 kB), ruby-tzinfo (202 kB). So I will need to ask maintainers of each of these packages (all of them under ruby team) also to remove their dependency on ruby.
ruby-tzinfo will pull ruby-thread-safe (26.4 kB) and tzdata (ruby-thread-safe will pull ruby-atomic (56.3 kB)).
ruby-html-pipeline will pull ruby-nokogiri (446 kB), ruby-pkg-config (8,464 B) and ruby-nokogiri has non-ruby dependencies too libxml2 (687 kB), libxslt1.1 (237 kB) and recursively more, at least 32.4 MB of libicu63 (which can be ignored as nodejs also depend on it).
I think we will need to update gem2deb to not add a dependency on ruby if it is a library only package (ie, no executables).
Reply to: