Re: About language specific package management tools

To: debian-project@lists.debian.org
Subject: Re: About language specific package management tools
From: Anthony Towns <aj@erisian.com.au>
Date: Fri, 30 Jan 2015 09:54:14 +0000
Message-id: <[🔎] 20150130095414.GA14325@master.debian.org>
In-reply-to: <[🔎] 0000014b2698cba1-b2e5ca2f-3a3a-4d09-ad10-b2d2c1ca849f-000000@email.amazonses.com>
References: <[🔎] 20150122023509.GA79321@gwolf.org> <[🔎] 87oaprpm6f.fsf@hope.eyrie.org> <[🔎] 20150122102845.GA18856@master.debian.org> <[🔎] CAKTje6GnkSLoaLDhuBTBZhCy-osj+oyko54yNL_K0n_C9oWxhA@mail.gmail.com> <[🔎] 20150123105755.GA7638@master.debian.org> <[🔎] 20150123115132.GH21130@earth.li> <[🔎] 20150124051340.GA17130@master.debian.org> <[🔎] loom.20150126T104014-875@post.gmane.org> <[🔎] 0000014b2698cba1-b2e5ca2f-3a3a-4d09-ad10-b2d2c1ca849f-000000@email.amazonses.com>

On Mon, Jan 26, 2015 at 02:15:22PM +0000, Sam Hartman wrote:
> One huge advantage of teaching our package management tools to
> understand alternate package technologies and convert on the fly is that
> we can use the mirror networks of the language-specific packages.
> Unfortunately, we're fairly picky about licensing issues and legal
> distributability of packages.  

The above's fair. But I don't think you can say:

> That's a significant value we add to Debian and it's really important.  

and then go on to say that it's hard so we should just wash our hands of
the responsibility by letting our users go direct to upstream and deal
with the problems themselves. Either it's valuable and it's worth doing,
or it's not worth worrying about and not actually that valuable.

It's not like the problem goes away if Debian ignores it: it still hits
the upstream (distributing it in the first place), their mirror network
(redistributing), and users (who might base their code or systems on
libraries that they don't have any right to actually use).

> However, we'll probably find that if
> we tried to automate something we'd discover legal problems. 

The fact that CPAN, PyPI and others exist and function puts an upper
bound on the problems that there are to be discovered. It's something
they can manage, so it's something we could manage too.

It's entirely possible that having two levels of vetting would be valuable
to our users -- ie, our current level of NEW checking for "main", and
a CPAN/PyPI/etc "minimal effort" level of checking for "extras". That's
not much different to the main vs non-free split we already have, except
that in this case it'd still be all about promoting free software.

> We'd
> discover confirming DFSG status difficult if we tried and that there are
> probably packages out there our users want that really when you look at
> it aren't actually even redistributable.

That already happens occassionally with stuff in main, cf:

  http://snapshot.debian.org/removal/

Cheers,
aj

Reply to:

Follow-Ups:
- Re: About language specific package management tools
  - From: Peter Pentchev <roam@ringlet.net>

References:
- About the recent DD retirements
  - From: Gunnar Wolf <gwolf@gwolf.org>
- Re: About the recent DD retirements
  - From: Russ Allbery <rra@debian.org>
- Re: About the recent DD retirements
  - From: Anthony Towns <aj@erisian.com.au>
- Re: About the recent DD retirements
  - From: Paul Wise <pabs@debian.org>
- Re: About the recent DD retirements
  - From: Anthony Towns <aj@erisian.com.au>
- Re: About language specific package management tools
  - From: Jonathan McDowell <noodles@earth.li>
- Re: About language specific package management tools
  - From: Anthony Towns <aj@erisian.com.au>
- Re: About language specific package management tools
  - From: Thorsten Glaser <tg@mirbsd.org>
- Re: About language specific package management tools
  - From: Sam Hartman <hartmans@debian.org>

Prev by Date: Debian Maintainers Keyring changes
Next by Date: Re: About language specific package management tools
Previous by thread: Re: About language specific package management tools
Next by thread: Re: About language specific package management tools
Index(es):
- Date
- Thread