[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Problems with the current source packaging scheme



Thanks for the write-up, Lars.  Time for me to comment.

Hopefully, we can keep the discussion constructive...   :-)

> * .orig.tar.gz gets separated from .dsc and .diff.gz, and may get lost

Well, they shouldn't get lost - but sometimes they are legitimately there,
and sometimes they are legitimately not there -- so if they accidentally
get cleaned, it's hard to spot.
 
> * upstream sources not preserved bit-for-bit; need to be repackage, which
>   can destroy upstream digital signatures, and makes it more difficult to
>   check that .orig.tar.gz and upstream sources are the same

The only reason they currently get repackaged is so that they can be easily
stored in the archive.  If we just "wrap" them in something else, it 
accomplishes the same objective without being so darn destructive.
 
> * no automated way to check .orig.tar.gz files against upstream distribution
>   (located on well known web sites), or upstream digital signature, if any

See previous comment.
 
> * Debian packages are not PGP-signed by the Debian maintainer, except via the
>   .dsc file.

Maybe we need a new version of the .deb file format?

ie.

$ ar t jdk1.1-runtime_1.1.1-1_i386.deb 
debian-binary
control.tar.gz
data.tar.gz

Just add another file to it called "pgp-md5sum" which is just the 
md5sum of control.tar.gz concatenated to data.tar.gz and pgp signed.
Plus increment the debian-binary version number to 3.0.
 
> * no way to automatically retrieve the upstream source package, or its
>   updates

If dpkg/dselect/diety could handle source packages as well as binary packages,
this could work.
 
> * no dependencies for source packages

If we had these, we might eventually be able to mandate that source packages
must be buildable out-of-the box (providing the dependencies are satisfied).
This would ensure that we have a buildable global source tree.
 
> * binary files are handled badly

How so?
 
> * upstream sources sometimes come in many different files
>
> * building a binary package requires running as root

I don't really see this as an issue -- that is, until dpkg allows people to
install files while not running as root.

I hope I was constructive...  :-)

Cheers,

 - Jim



Attachment: pgpnTgQmfEQXb.pgp
Description: PGP signature


Reply to: