Re: Source-Depends? Autoreconf?

To: debian-devel@lists.debian.org
Subject: Re: Source-Depends? Autoreconf?
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Sat, 2 May 2009 13:26:00 -0300
Message-id: <[🔎] 20090502162559.GB1127@khazad-dum.debian.net>
In-reply-to: <[🔎] 20090502140156.GA21302@pcpool00.mathematik.uni-freiburg.de>
References: <[🔎] 878wlfaflp.fsf@gmail.com> <[🔎] 20090502140156.GA21302@pcpool00.mathematik.uni-freiburg.de>

On Sat, 02 May 2009, Bernhard R. Link wrote:
> First of all, you do not discuss the most common type of packages: do
> not change the build-system, but just use it. This means autotools are
> never called, neighter when preparing the package, nor when building the
> package.

Yeah, it is really common, and it is also close to being the 'worst
practice' (except for the few packages whose upstream takes very good
care of their build system and keep it up-to-date themselves).

> The more important goals are:
>  - derivation from upstream:
>     + every change means using something not previously tested.

Well, as a rule, we do much better at testing build systems than any
upstream, anywhere.  We build for MUCH more platforms, for one.  And
likely we're already using a newer toolchain than upstream anyway...
and that's far more likely to root out bogosity (or to cause bogosity
for that matter) than autoreconf.

> Change source files, run autoreconf at build time
> - derivation: package is build with a system run with another autotools
>   version, but the way this is done is canonical
> - identification: as only the build system's source file changes, easy
>   to grasp (unless the new autotools version bring the real changes).
> - maintainability: perfect
> - robustness: danger of new autotools version breaking the build

This is the current best practice, but it needs to be done right.
There is a reason why autotools-dev recommends that you should use the
proper environment vars (and build-deps and conflicts when needed) to
lock the auto* versions you have tested with.

There is one _very_ important reason why it is the best practice, too:
since the build process is complete, and tested at every upload on
every arch, it is far less likely to break on the hands of the
security team, or on the hands of a porter of a new arch, or in the
hands of someone else in a time of need.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: Source-Depends? Autoreconf?
  - From: "Bernhard R. Link" <brlink@debian.org>

References:
- Source-Depends? Autoreconf?
  - From: Marius Vollmer <marius.vollmer@gmail.com>
- Re: Source-Depends? Autoreconf?
  - From: "Bernhard R. Link" <brlink@debian.org>

Prev by Date: Re: Source-Depends? Autoreconf?
Next by Date: Re: Bug#524787: ITP: unicorn -- Drivers and applications for the Bewan ADSL PCI ST and USB modems
Previous by thread: Re: Source-Depends? Autoreconf?
Next by thread: Re: Source-Depends? Autoreconf?
Index(es):
- Date
- Thread