[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to deal with "assets" packages shadowing real upstream



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On Fri, Feb 26, 2016 at 07:59:29PM +0100, Jonas Smedegaard wrote:
> Do we favor tracking the true upstreams when packaging for Debian?

There was some discussion about this on the list recently, but this is a
question that didn't really come up, AFAIK.

IMO, there are two things that matter here:
1. We require source.  If the "fake" upstream does not provide that, it is
   certainly not adequate.  IIUC, this is your situation (but I didn't check
   your links).  That is: minified js is not source, and a project including it
   in its distribution is equivalent to a compiled project including a static
   library.  In both cases, the code must be packaged from its source, and the
   bundled version must be discarded.  This was discussed, and AFAIK what I
   wrote here is what most (but not all) people agreed with.

2. Needless forking is bad.  There is no consent on what is "needless" though.
   My point is that having multiple copies of a thing that are all treated as
   source leads to problems.  In Debian, we recognize that and one effect of
   that is that we don't want bundled libraries in packages.  In the greater
   free software community, not everyone sees it this way.  Having this opinion
   in Debian, I think we should use our influence to try to push upstreams the
   right way.  That means we should package real upstream if there are multiple
   sources to choose from.  Another reason for doing this is that future code
   duplication in Debian is automatically prevented.  In your example: if
   someone needs the serverside version of the package, they would package
   node-handlebars and then we have two versions of the code in Debian.  If the
   real upstream was used to begin with, that problem would have been avoided.

Thanks,
Bas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJW0KSPAAoJEJzRfVgHwHE6ZxAQAJnB5S/kKeCJpdIWkyCPAdXe
zy4eiDlP7U4HCejSF991dWV+OD2KKn5wdQA26XpuJfd8v06qOVeEh3d3SQvbYXWP
oxlfpUo3iuWUXWgxuvphmJFEeZxHN/yavqLbu9vOGmfoyqHJq6osTu3/pxQnc9Ps
MU5jyvmbJqAypgB/zzfULz38fuiuyGB7OjDJSB+XkORJMJUVymDr/hrC6QBN2Vxi
l8OtoZcrLxjOuKVEimatnR/UAseMVODJ5LBsQ2Qrw5xSWE7MeGAGnxnikTW/nbuk
ThugoLcyOn2OWwyz8ziOl7mPfTyqxDHtbeA7gzmZO3ZXzctyeeLCbPZLcTRDg6pe
kQxYztIGPxoWABCaUCgkE/nc1L3Jd3zc74L9M71FdyxEx/dzRgWGD8MuWVoGocfN
oW83exDm6+gSkxGwR1b2QOemf8GO00HeKxVoy+p07r5Qbk6Y5bnRZvB9TMJqLHNF
X2x1isBp/Xon/4tWYQTUrHDwB4XoU/9JWFZ/S0b+dB00oaGU74iVsMxUwKqMp0p2
X69I7H99ISLY1pYXpbFtlFWPD33EbYva8pBbctf7XXN93eupQMX9JAl+lfXFh24U
ES4nCiJxMBTzHkAxS48jSTGFrBCh3NzfLjku5aY9LHZ2/DiBgmYpznC1SQIz2Ewe
a4r6eN722Hi6w3hXyjv8
=g6Xz
-----END PGP SIGNATURE-----


Reply to: