Re: What to do with version conflicts?
Hi John,
On Sat, Sep 4, 2021 at 4:34 PM John Goerzen <jgoerzen@complete.org> wrote:
>
> What is the usual path forward here?
> I'm not sure about the more general case.
> Thoughts?
I wish someone with your experience and reputation were to propose a
general solution to the vendoring problem. [1] [2] It also surfaces
frequently in many other languages, such as Rust or Haskell. I see two
general solutions:
(a) Co-existing, versioned source packages with automatic, nightly
imports into Debian.
(b) Fully vendored uploads with centralized version tracking and
patching to address security and other concerns.
Debian seems to pursue some path to (a), but different source versions
do not generally co-exist. I am also told that the archive is
straining under too many installables. The Node team at least has been
told to double up source packages via the multiple tarball mechanism,
even though run-time access to the sources is actually more important
for them and other interpreted languages like Perl than for any of the
compiled languages (like Go).
My preference is probably (b). It would focus the archive on
executables and shared libraries for users rather than developers, who
have other ways to get source code for the software they are writing.
It would also ensure that anyone who gets sources can build them,
although deduplication could become a concern.
Kind regards
Felix Lechner
[1] https://bugs.debian.org/971515
[2] https://lwn.net/Articles/843313/
Reply to: