On Sun, 14 Sep 2025 19:04, Kent Overstreet <kent.overstreet@linux.dev> wrote:
Hi all, we're looking at getting bcachefs-tools back into Debian (we just re-opened an ITP). Was just speaking with you guys on IRC, where the possibility of a team meeting was raised, and I was directed to this list. [...] So, that's things from my end, and why I'm asking for an exception to the unbundling requirements. I'd like to hear things from your side, and see what we can do to address any issues this might cause on the Debian side. I'm aware of concerns over security updates; Fedora folks also raised build server overhead when we had this discussion with them. Like I mentioned we never managed to raise this discussion to the appropriate places in the past, so if there's other issues at play I'm looking to be educated :)
Hi Kent,if you're talking about crates.io vendoring, that's kinda unwanted in Debian. Multiple reasons come to mind:
- Security issues: If they occur the can be easily migitated by a rebuild archive-wide for the packaged crates (not when vendored) - Duplication: Inevitably crates will needlessly get duplicated (i.e. serde 1.0.212 and serde 1.0.100)
- Space: this increases the .debian.tar.xz size by a lotGenerally speaking, it can be done (Ubuntu does it for multiple packages there), but in Debian it's discouraged for above reasons. The only exception that I know of is src:librsvg, which IMO should be devendored since all its dependencies are now packages. That being said, you can vendor all crates under debian/missing-sources and then build from there (see librsvg). ftp-masters *should* accept it even if it's vendored as long as you detail everything in d/copyright. Security-wise you are responsiblee though, and the release team might not be happy about this. Hope this helps.
best, werdahias