On Fri, 20 Feb 2015 22:15:41 +0100 Marc Haber <mh+debian-devel@zugschlus.de> wrote: > On Fri, 20 Feb 2015 09:04:56 +0100, Harald Dunkel <harri@afaics.de> > wrote: > >Problem: The Debian maintainer messed up the version numbers > >and had to introduce a "1:" for his foo package. Now upstream's > >package always appears to be out of date, forcing me to override > >apt-get. > > That is unfortunately a situation that our tools don't handle well. > You could try pinning down Debian's version of that package in > apt_preferences(5). This works a lot better if upstream provide a repository (with identifying details unique to that repository) as the pin can work in both directions, withstanding changes in the versions due to epochs etc. Standalone .deb files "lobbed over the wall" from upstream are the most common source of the reasons why upstream packages have such a bad name, even if a .dsc is provided. Signing an upstream repository can be a mixed blessing - downloading an .asc file from the same website isn't the best way to trust the packages from that website but is the typical way these things get done. If someone goes to the length of packaging a keyring package, it's much better to simply package the software instead and use the archive keyring with all the mirrors, buildds and PTS etc. > >If upstream's Debian package of a tool is "not good enough" > >for Debian for some reason, wouldn't it be reasonable to avoid > >a naming conflict on creating the Debian package? > Unfortunately, most upstreams make Debian packages unsuitable for > inclusion in Debian proper. That's however unavoidable, since nearly > no upstream can invest the time needed to provide really good packages > for all major distributions out there. Agreed, upstream's .deb file is almost never "good enough" for direct inclusion into Debian or "simple" inclusion via a clean rebuild & signing. The times it does work (for Debian packages at least) are when there is a DD on the upstream team... Keeping up with Policy, packaging practice and other requirements within the distro is not something anyone should expect upstream to do without someone on the team being a member of that distro. A .deb file is not a simple archive, it is trivially easy to make a "bad" .deb which ignores Policy and breaks your system completely. It is in everyone's interest that the Debian package has the same name as the source package released by upstream - unless there is a different package, from a different upstream, already in the archive with that name or the upstream uses a inappropriate or overly generic name. -- Neil Williams ============= http://www.linux.codehelp.co.uk/
Attachment:
pgp7ztC1l1sYY.pgp
Description: OpenPGP digital signature