[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: git as a source package format?

* Daniel Pocock <daniel@pocock.com.au> [130501 21:28]:
> Would there be any hard objection to a source package format based on
> git-bundle?

I think a git based source package has quite some problems.

- failing to properly make changes visible

  While you can express every history-graph in git, that is not an
  advantage. Changes relative to upstream sources found in a Debian
  source package should not only be present by recording history,
  but as many people as possible should be able to see what is
  actually changed in the package, and to reuse those changes elsewhere
  (either as upstream or sidestream).

  Debian is not like the BSDs[1] that just import some source into their
  CVS, make modifications at will, sometimes merge a new upstream
  version and some years later the only way to see what they changes is
  doing a full diff and hope you can isolate some of the changes.
  We do not fork but want the changes we need either upstream or also
  useable by other. Other distributions and users not using Debian are
  not our enemies, but partners towards a general advance of free software.

  While you can use git to keep changes in a way to make them reviewable
  and ready to transmit them elsewhere (git rebase -i is great), if you
  have that information ready then generating a "3.0 (quilt)" package is
  trivial, and having changes expressed the same way in different
  packages makes it easier for everyone to find the information.
  (At least any other format should come with a way to support being show
   at patch-tracker.debian.org).

[1] They might have changed. It has been a long time since I looked.

- hiding stuff in obscure formats

  While a git-bundle is a format that is not that complicated to use
  once you are used to it, even the average git user will rarely know
  how to handle it manually. That means people not having the Debian
  tools available can hardly do anything with them on their own.

  Additionally needing to have some special VCS installed to look at
  a specific program can be a huge burden. While git got quite a decent
  pervasiveness now, not everyone has it and with the next hype it might
  equally fast being gone again.

  At least using such a git format should be absolutely forbidden if
  upstream uses any other free VCS. (I've seen packages in Debian that
  used one VCS, having upstream some inter-distribution working group
  that used anyother VCS that finaly was based on some big comercial
  player that published the free version on yet another VCS. That's

> In other words, dpkg-source would extract all repository history (or all
> of the branch used to build the package) using the git-bundle command.
> The bundle file would then be uploaded to the FTP server instead of a
> traditional source tarball.
> A slight variation of this idea is that the repository would be cloned
> into a temporary bare repo, and that bare repo would be tarred up and
> the tarball would become the source upload.

- legal problems

  if you have all the history it is practically unreviewable for
  undistributeable stuff, and if that stuff is old enough, it is usually
  quite hard to get it out of the history. (There is filter-branch, but
  one does not take such an approach lightly).

  This is not a big problem for having those at alioth or other
  sides (You'll have to ask a lawyer, but I'd guess the ill effects
  are either limited to Debian losing all their money or only the
  team/uploader it is in. And likely alioth admins can just remove
  the git repository there in case something is found or someone sues
  and thereby reduce any penalties perhaps even till none are left.

  But the source packages are found on DVDs and mirrors all over the
  world. Many people help us distributing Debian. We owe them to do
  out best to keep them out of legal trouble for doing so.

  And source is what people need to actually make use of many of
  the software (especially GPL). People providing stuff based on
  Debian (be it pre-installed computers, appliances based on Debian,
  distributions based on Debian, ...) need to have the source ready
  to do so. If they use Debian binary packages, just keeping the
  Debian source package is the obvious way. Unless we switch to a
  source format where those can no longer be legally distributed.

> Then again, some of that behavior could be achieved by creating an
> `apt-get vcs-clone' function to read the Vcs control fields and make a
> clone for a traditional source package's repo.

sudo apt-get install devscripts
debcheckout source-package-name

        Bernhard R. Link

Reply to: