Vagrant Cascadian <vagrant@debian.org> writes: > To the broader topic, I am not quite sure I ever recovered from the > realization that guix cannot (yet?) be reasonably packaged in > Debian. The only reason I maintained a few guile packages was to support > guix; I have no real love of guile or scheme... so moving over the > packages I was maintaining to a team probably makes a lot of sense! Great! I am hoping that if upstream Guix picks up pace with releases, we can get Guix back into Debian. I never understood the argument to drop it in the first place, though, so I may be missing some context. Security bugs is not a valid reason to remove a package to me, we have known vulnerabilities in tons of packages without ever removing them. > Similar story for a for mes ... have not been able to maintain that > package itself or it's guile dependencies either... it might be of > questionable use at the moment... I had originally packaged it as part > of a cross-distro bootstrapping experiment, but there was always a > tension with packagability Debian... I may be hijacking the Debian Scheme Team here, but I think it would be okay to have 'mes' under the Debian Scheme Team umbrella too. > I have also had the impression that basically any time any dependency of > a guile package changes, it should probably be binNMUed to regenerate > the .go files ... especially when it there is an involved C binding > ... which I have sometimes done with sourceful uploads, but definitely > could not always keep up with. I don't fully understand the requirements here, but I also think the current situation seems problematic. Expressing the dependency using Static-Built-Using would be one step, but I'm not sure if guile itself should be in there? One comparison is with binaries built from C, they don't have 'Static-Built-Using: gcc' in them. Although I think in theory they should -- if gcc generates insecure code, you would want to rebuild the binaries built using that compiler. Maybe 'Static-Built-Using' is a Debian hack to re-invent the Guix bootstrappability graph, but in an incomplete way. So until we have developed some understanding that we solve any real problem, maybe we should hold off adding Static-Built-Using to guile packages. > I think *most* of the guile packages are fairly narrow in scope and > relatively easy to maintain with well documented licensing and freindly > upstreams. This is my experience too. /Simon
Attachment:
signature.asc
Description: PGP signature