[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: third-party packages adding apt sources

[cc'ing devel, since this is a rant that involves technical topics, and
 god knows I only go on so many rants a year these days]

On Thu, May 19, 2016 at 05:18:28PM +0200, Daniel Pocock wrote:
> b) many upstreams appear frustrated about getting their package
> officially supported in Debian.

Yeah, I don't think that's it. "officially supported" is burrying a lot
of really important discussion we're not having.

> Sometimes there is good reason their
> package doesn't belong in Debian but sometimes it is more about inertia
> in Debian or the upstream isn't aware about backports and thinks their
> package will be stuck at a particular version forever

Frankly, I have a hell of a lot of sympathy for this.

Backports are a whole thing. People have to be actively aware of them.
Users have to be told to add a new thing in the sources by hand, and
install something explicitly. It's calories, and explaining a Debian
process to a user isn't fun. Why would upstreams want to do this?

My claim, as I'll outline below, is, if the upstream wants to give the
user an up-to-date software package, and they have to teach them how to
add a new archive, they'll give them an archive *they control*, because
they're now on the hook for delivering through that channel. Upstream
wants to spend as little time as they can with this, so they make it
easy - they make a deb.

Now, for the rant I promised.

Backports are present when a package is in testing, and backports are a
single channel. Backports are not for upstream's releases, whenever they
want to ship a thing.

We have zero procedure in place for the following:

  - Totally unsupported very old version of ${FOO} in stable, maintainer
    isn't patching bugs, bugs are going to upstream, and upstream is
    annoyed Debian has out of date, perhaps insecure thing X.

  - Leaf package ${BAR} has a robust upstream community, where releases
    are very well tested, with a mature stable/unstable release cycle.
    Our stable release freeze was off by a few months, so we've been
    shipping their 'oldstable' in our 'stable' for years. The
    maintainers are annoyed we don't use the latest stable in our

We can talk about what is an isn't right all day long, or about how PPAs
are going to solve all this one day, but I've become more and more
worried that we're failing to serve users in this way.

Largely, I think the first situation is a common one that our culture
has forced people to group-think "Well, that's bad and the system is
working as intended". We can't let software change on our stable
installs, so this situation is bad, but the intent of stable.

The second one is harder to say that with, since upstream is making
assertions (just as strong as us) on some things. Be it protocol
stability, API stability, or whatever.

We're mostly approximating #2 by stacking up patches from their next
stable, and applying them to our stable. We're basically shipping the
new version with the old version number, without as much testing as the
real version, and only confusing ourselves (patches are a bitch), users
(I have version 1.2), and upstreams (why doesn't Debian trust the
release process), causing tension everywhere. Look at OpenSSL, it's
nuts. (God bless the OpenSSL team for doing this, and finding a way to
keep DDs happy -- or rather -- merely quiet, as well as upstreams and

So, your question, why do people try to make it easy to get the latest
stable software is answered simply with "because we're not". We are the
problem. No one wants to do this. Maintianing an archive sucks. No one
wants to maintain a Debian archive. It's just the least work to deliver
something supportable and maintainable to users.

Go to any mature project, they have a way to bypas the archive, and get
the latest stable from upstream. This is a huge failure. Upstreams
aren't becoming DDs and updating packages, dispite the fact they can
package and maintain things.

Hell, teams packaging Mozilla-soft and PostgreSQL are DDs maintaining
*external archives* because it's easier.

The issue is, we have a model of software delivery that's slowly growing
more and more distant from the realities of shipping software today. Why
is this? What can we do? What do our users want? What do our users

Making it hard to install a new archive will only lead to more
workarounds, more FAQs telling users to dismiss warnings, and more
upstreams hell-bent on working against us, because we keep making their
lives harder.

This is a 100% larger conversation, and it's not about a hacky deb, it's
about how our place in the software ecosystem has been evolving, and we
need to evolve with it, or we'll find ourselves part of the problem we
were trying to solve in the first place.

Attachment: signature.asc
Description: PGP signature

Reply to: