[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Zope2 packaging


First, thanks Michael and Arnaud for the work on zope2.12 Debian

On 02/05/2011 Arnaud Fontaine wrote:
> Once upon  a time,  zope2.X could be  easily installed on  Debian (until
> 2.10), and thanks to dzhandle, it was pretty easy and straightforward to
> use. Unfortunately it is not  anymore since the upstream decided to move
> to  a modularized  approach (with  ZTK) ratherthan  having  a monolithic
> tarball, which is a good thing, in most cases at least.
> Unfortunately, it has became a  nightmare from a packager point of view,
> because  each released version  of Zope  depends upon  specific versions
> of these modules, which sometimes (often?)  include backward-incompatible
> changes, thus leading to  conflicting dependencies between each released
> version.
> Moreover,  as of  Zope 2.12,  there  are about  89 eggs  pulled down  as
> dependencies  when using  the regular  build process  and the  number is
> growing because  more and more duplicated  code with ZTK  is being moved
> out of Zope2.
> In addition,  several Zope applications, like Plone,  require a specific
> Zope version. Therefore, we also would  like to be able to offer, at the
> same time, several  major versions of Zope (2.12  and 2.13 for example),
> like we once did  for Zope 2.9 and 2.10, and like  we do for versions of
> Python.
> We thought about two solutions to address these issues:
> 1/ Versionning each  component of the ztk so we can  install at the same
>    time zope-foo 1.2.1 and zope-foo 1.3.0.
> 2/ Packaging inside a zope2.12  package all the requirements of zope2.12
>    which are not the current mainstream ztk.
> Even if  we don't  really like  it, the second  solution seems  the only
> viable solution  because of  the number of  modules and the  breakage in
> backward-compatibility. Not  doing so would  require versionned packages
> for the 89  eggs required by Zope 2.12, and the  same for those required
> by Zope 2.13.
> The  purpose of this  email is  actually to  let the  debian-release and
> debian-security teams  know before finalizing  the package, thus  we can
> make sure  that the package gets  accepted and gets advices  as well. We
> realize that's  a big burden for  those teams because  of the duplicated
> modules, but we are willing to take care of that as much as possible.

Seems like neither Security-Team nor Release-Team responded to this
mail. I added ftpmasters to Cc in order to give them a chance to

If I got it right, all packaging-related issues have settled down, and
from a Debian pkg-zope team point of view, the zope2.12 packages are
ready to be uploaded.

Please be aware, that we as the Debian pkg-zope team are aware of the
drawbacks of a monolithic zope2.12 package (with all zope eggs 
included), but we discussed this issue to death, and don't see another
solution. You can take a look at the meeting summary[1] for further

We (the Debian pkg-zope Team) feel responsible to help with any
security- or license-issues that might arise with zope2 packages in the
future. We also keep a close watch on the development of zope2, and
switch the packages to depend on packaged zope eggs as soon as this
might be an option (i.e. the zope eggs upstream maintainers guarantee
backwards compability).

So, the last showstopper before zope2.12 packages can be uplaoded, are
comments by Security-Team, Release-Team and FTPMasters whether the
solution we've choosen is ok for them for the time being. Please send us
your comments in case you've any.

On behalf of the Debian Zope2 packagers,
 Jonas Meurer

Attachment: signature.asc
Description: Digital signature

Reply to: