Re: How to deal with "assets" packages shadowing real upstream
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
On Fri, Feb 26, 2016 at 07:59:29PM +0100, Jonas Smedegaard wrote:
> Do we favor tracking the true upstreams when packaging for Debian?
There was some discussion about this on the list recently, but this is a
question that didn't really come up, AFAIK.
IMO, there are two things that matter here:
1. We require source. If the "fake" upstream does not provide that, it is
certainly not adequate. IIUC, this is your situation (but I didn't check
your links). That is: minified js is not source, and a project including it
in its distribution is equivalent to a compiled project including a static
library. In both cases, the code must be packaged from its source, and the
bundled version must be discarded. This was discussed, and AFAIK what I
wrote here is what most (but not all) people agreed with.
2. Needless forking is bad. There is no consent on what is "needless" though.
My point is that having multiple copies of a thing that are all treated as
source leads to problems. In Debian, we recognize that and one effect of
that is that we don't want bundled libraries in packages. In the greater
free software community, not everyone sees it this way. Having this opinion
in Debian, I think we should use our influence to try to push upstreams the
right way. That means we should package real upstream if there are multiple
sources to choose from. Another reason for doing this is that future code
duplication in Debian is automatically prevented. In your example: if
someone needs the serverside version of the package, they would package
node-handlebars and then we have two versions of the code in Debian. If the
real upstream was used to begin with, that problem would have been avoided.
Thanks,
Bas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJW0KSPAAoJEJzRfVgHwHE6ZxAQAJnB5S/kKeCJpdIWkyCPAdXe
zy4eiDlP7U4HCejSF991dWV+OD2KKn5wdQA26XpuJfd8v06qOVeEh3d3SQvbYXWP
oxlfpUo3iuWUXWgxuvphmJFEeZxHN/yavqLbu9vOGmfoyqHJq6osTu3/pxQnc9Ps
MU5jyvmbJqAypgB/zzfULz38fuiuyGB7OjDJSB+XkORJMJUVymDr/hrC6QBN2Vxi
l8OtoZcrLxjOuKVEimatnR/UAseMVODJ5LBsQ2Qrw5xSWE7MeGAGnxnikTW/nbuk
ThugoLcyOn2OWwyz8ziOl7mPfTyqxDHtbeA7gzmZO3ZXzctyeeLCbPZLcTRDg6pe
kQxYztIGPxoWABCaUCgkE/nc1L3Jd3zc74L9M71FdyxEx/dzRgWGD8MuWVoGocfN
oW83exDm6+gSkxGwR1b2QOemf8GO00HeKxVoy+p07r5Qbk6Y5bnRZvB9TMJqLHNF
X2x1isBp/Xon/4tWYQTUrHDwB4XoU/9JWFZ/S0b+dB00oaGU74iVsMxUwKqMp0p2
X69I7H99ISLY1pYXpbFtlFWPD33EbYva8pBbctf7XXN93eupQMX9JAl+lfXFh24U
ES4nCiJxMBTzHkAxS48jSTGFrBCh3NzfLjku5aY9LHZ2/DiBgmYpznC1SQIz2Ewe
a4r6eN722Hi6w3hXyjv8
=g6Xz
-----END PGP SIGNATURE-----
Reply to: