Hello, First, thanks Michael and Arnaud for the work on zope2.12 Debian packages. On 02/05/2011 Arnaud Fontaine wrote: > Once upon a time, zope2.X could be easily installed on Debian (until > 2.10), and thanks to dzhandle, it was pretty easy and straightforward to > use. Unfortunately it is not anymore since the upstream decided to move > to a modularized approach (with ZTK) ratherthan having a monolithic > tarball, which is a good thing, in most cases at least. > > Unfortunately, it has became a nightmare from a packager point of view, > because each released version of Zope depends upon specific versions > of these modules, which sometimes (often?) include backward-incompatible > changes, thus leading to conflicting dependencies between each released > version. > > Moreover, as of Zope 2.12, there are about 89 eggs pulled down as > dependencies when using the regular build process and the number is > growing because more and more duplicated code with ZTK is being moved > out of Zope2. > > In addition, several Zope applications, like Plone, require a specific > Zope version. Therefore, we also would like to be able to offer, at the > same time, several major versions of Zope (2.12 and 2.13 for example), > like we once did for Zope 2.9 and 2.10, and like we do for versions of > Python. > > > We thought about two solutions to address these issues: > > 1/ Versionning each component of the ztk so we can install at the same > time zope-foo 1.2.1 and zope-foo 1.3.0. > > 2/ Packaging inside a zope2.12 package all the requirements of zope2.12 > which are not the current mainstream ztk. > > Even if we don't really like it, the second solution seems the only > viable solution because of the number of modules and the breakage in > backward-compatibility. Not doing so would require versionned packages > for the 89 eggs required by Zope 2.12, and the same for those required > by Zope 2.13. > > > The purpose of this email is actually to let the debian-release and > debian-security teams know before finalizing the package, thus we can > make sure that the package gets accepted and gets advices as well. We > realize that's a big burden for those teams because of the duplicated > modules, but we are willing to take care of that as much as possible. Seems like neither Security-Team nor Release-Team responded to this mail. I added ftpmasters to Cc in order to give them a chance to comment. If I got it right, all packaging-related issues have settled down, and from a Debian pkg-zope team point of view, the zope2.12 packages are ready to be uploaded. Please be aware, that we as the Debian pkg-zope team are aware of the drawbacks of a monolithic zope2.12 package (with all zope eggs included), but we discussed this issue to death, and don't see another solution. You can take a look at the meeting summary[1] for further details. We (the Debian pkg-zope Team) feel responsible to help with any security- or license-issues that might arise with zope2 packages in the future. We also keep a close watch on the development of zope2, and switch the packages to depend on packaged zope eggs as soon as this might be an option (i.e. the zope eggs upstream maintainers guarantee backwards compability). So, the last showstopper before zope2.12 packages can be uplaoded, are comments by Security-Team, Release-Team and FTPMasters whether the solution we've choosen is ok for them for the time being. Please send us your comments in case you've any. On behalf of the Debian Zope2 packagers, Jonas Meurer
Attachment:
signature.asc
Description: Digital signature