Re: Are binary packages required to be built from the corresponding source files?
Ben Finney <firstname.lastname@example.org> writes:
> Charlie Smotherman <email@example.com> writes:
>> "ampache ships a swf file but does not build it from source."
>> I am curious to know which part of Debian Policy states that this is
>> required? I have search but was unable to find anything.
> I would interpret it as follows:
> Policy §2.2.1 states “Every package in _main_ must comply with the DFSG
> (Debian Free Software Guidelines).”
> To comply with DFSG §2, the source package must include the binary
> package's corresponding source code.
> To comply with DFSG §3, the package must allow the recipient to make
> modifications and build a package suitable for redistribution.
> Policy §2.2.1 further states “In addition, the packages in _main_ […]
> must not require a package outside of _main_ for compilation or
> execution […]”.
> If the package build process doesn't use the source, as modified by the
> recipient, then it's disingenuous to claim that DFSG §3 is being met.
> Perhaps the letter is followed, but I would maintain that its intent is
I don't think that it's disingenuous at all, provided that, when you build
that source, you get what the binary package ships. The problem with not
doing that during the build is that, if it ever breaks, we don't know
In other words, not building from source every time is not, in itself, a
Policy violation. What's a Policy violation is shipping binaries that we
*can't* build from source. The problem with not building from source
every time is that we may have latent bugs that we will never know about
until someone tries to modify the code and build it and finds it doesn't
I do not build all components of the packages I am also upstream for when
building the Debian package. Specifically, I don't regenerate the
configure and Makefile.in files. But since I'm upstream, I do this all
the time on a Debian system and I'd know if it ever broke. I'm therefore
comfortable and confident that I don't have latent bugs here. I think my
packages are Policy-compliant. But if anyone ever found cases where that
assumption is wrong, I'd have to rethink that position.
(Please note: it may still be a normal bug to not build from source every
time. Personally, I think in most situations it probably is. Not every
normal bug in packages is spelled out in Policy, or can be.)
Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/>