3rd party sources in packages (was: Problems with packaging qtiplot)
On Thu, May 14, 2009 at 9:32 AM, Gudjon I. Gudjonsson <gudjon@gudjon.org> wrote:
> I am wondering if the debian-science list can help me with a problem I do
> have with one of my packages, qtiplot. It is unfortunately terribly outdated,
> partly because of lack of time and partly because of complications with the
> upstream qwtplot3d.
> http://packages.qa.debian.org/q/qtiplot.html
> http://packages.qa.debian.org/q/qwtplot3d.html
>
> The upstream sources are of qtiplot are shipped with 3dparty libraries but I
> have changed it in order to depend on libraries shipped with Debian. Now the
> 3dparty qwtplot3d library is heavily changed that the only way is to ship the
> package with static qwtplot3d. My current sponsor is reluctant to sponsor the
> package with static libraries and I agree with him that there is the danger
> that a short time fix may end up as a permanent solution.
Hi,
Your options are to include the external package in the sources, or
wait until a stable release of the library in question has been
released. The first option seems to be a big no-no in Debian
(understandably, at least from a security standpoint) and the second
option leaves Debian users without an up-to date version of your
package.
Since the library in question is not so critical security-wise, having
a 3rd party library on the package during a release or two does not
sound so bad to me, but IANADD, etc.
I also have a similar problem with meshlab package I'm working on
(again). Upstream tarball includes several 3rd party sources, which
fortunately are all in Debian already. In this case the right thing to
do is clearly to build with Debian libraries, but should one also
repackage the source to get rid of the 3rd party code or not?
Teemu
Reply to: