Re: Debian choice of upstream tarballs for packaging

To: debian-devel@lists.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Debian choice of upstream tarballs for packaging
From: Paul Wise <pabs@debian.org>
Date: Wed, 18 Aug 2021 03:04:58 +0000
Message-id: <[🔎] CAKTje6Hv_szvuWUuCMnutSQdNcb+Yyjq=MWF5NuGaURLxQ-kHA@mail.gmail.com>
In-reply-to: <[🔎] ee2dc499-e33d-862b-8b5b-bb8266fc89ee@hogyros.de>
References: <[🔎] 937697e40caf519e18119635db07d7b74b37b980.camel@debian.org> <[🔎] ee2dc499-e33d-862b-8b5b-bb8266fc89ee@hogyros.de>

On Tue, Aug 17, 2021 at 12:17 PM Simon Richter wrote:

> This is also an additional burden on package maintainers: explaining how
> they arrived at that particular "upstream" package in a reproducible way

Debian explaining how we arrived at a particular orig.tar.gz is well
established; use a debian/watch file. It supports accessing git
repositories directly.

> and why what we ship as "orig" is different from upstream, and what
> the copyright and licensing situation for that derived work is.

I see it another way, the upstream packages/tarballs are usually a
derived work of their VCS, adding cruft that should not be there and
removing files that should be there.

The fundamental problem is that the packages/tarballs are seen more as
something for end-users (who are often developers) to run (or
sometimes build) than for people building from source or for distros.
So upstream packages/tarballs end up as a mix of source and binary
packages. So these tarballs/packages are of a fundamentally different
nature to Debian source packages and are for an entirely different
audience than Debian package maintainers, who are doing the same
source -> binary packaging job as upstream package ecosystems, but for
the Debian packaging format instead of different formats for different
ecosystems. In the case of Firefox XPI packages, they are even more
like Debian binary packages, and yet Debian is using XPI packages as
our source packages for webext-* packages.

I agree with much of the remainder of your mail, but the world of
Debian, FLOSS, software and technology in general has disillusioned me
enough that I believe the efforts at improving upstream
packages/tarballs/ecosystems you suggest will mostly be futile, which
is why I suggest giving up on improving anything except the upstream
VCS. Even that is going to be hard to improve, many upstreams will
refuse to remove build system cruft, generated files, (modified)
embedded code copies and so on.

In both approaches, the first step is for Debian maintainers to
routinely compare the upstream VCS with the chosen Debian upstream
tarball. I tend to either use diffoscope or unpack and use a graphical
tree diff tool like meld. Once the comparison is done, the options are
to either switch to the VCS (as I suggest) or discuss the differences
with upstream (as you suggest). I encourage everyone to at least think
about doing the VCS comparison when adding new upstream releases to
Debian and choosing one or the other path for dealing with the
differences.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: Debian choice of upstream tarballs for packaging
  - From: Simon Richter <sjr@debian.org>

References:
- Debian choice of upstream tarballs for packaging
  - From: Paul Wise <pabs@debian.org>
- Re: Debian choice of upstream tarballs for packaging
  - From: Simon Richter <sjr@debian.org>

Prev by Date: Re: Debian 11 Bullseye Setup Problems Error Report
Next by Date: Re: A summary of where I think we are on the technical side of the merged /usr discussion
Previous by thread: Re: Debian choice of upstream tarballs for packaging
Next by thread: Re: Debian choice of upstream tarballs for packaging
Index(es):
- Date
- Thread