Bug#506865: RFP: pylzma -- Platform independent python bindings for the LZMA compression library

[Stefano Zacchiroli <zack@debian.org>]

On Thu, Nov 27, 2008 at 07:59:44PM +0100, Daniel Rus Morales wrote:
> The upstream package contains most of the LZMA v4.42 sources, some
> of them were modified by the pylzma author. I tried to substitute
> some of the dependant sources compiling against lzma and lzma-dev
> official packages, but that does not work due to the current version
> provided by lzma and lzma-dev, that is the v4.43 (current upstream
> stable release for LZMA is already 4.57).
>
> To prevent any confusion between the version of LZMA provided by the
> package "lzma" and the one that comes with "python-pylzma" I added
> the release number to the later, so the package name is
> "python-pylzma-4.42".

Sorry, that's not acceptable, we can not ship two different versions
of LZMA in Debian, one quite well hidden into a binding. The reason is
security: if a security issue gets discovered about LZMA, we will need
to fix it into several places. More philosophically, free software is
about sharing, and with sharing (usually) comes factorization, we
should factorized the code.

Bottom line: PyLZMA should be make working with Debian's LZMA,
possibly getting in touch with LZMA's maintainers to apply patches if
needed. When doing that, please Cc this RFP.

> Could you sponsor the package?
> I'll wait for your remarks if any.

List of remarks follows (notwithstanding the showstopper above):

- debian/control should be 7, it is a new package, it is pointless to
  use an old debhelper, same goes for the debhelper deps in control

- you should reopen 401034, as you have been working on the package,
  to avoid duplicate work by someone else

- you should change the target distribution in changelog to
  experimental: we are near a Debian release, and unstable should not
  be targeted by packages which wont be part of Lenny anhow

- debian/copyright is quite a mess, why you have several licenses into
  it? it is pointless unless you explain which part of the (source)
  package are subject to each license. I suggest you to have a look at
  http://wiki.debian.org/Proposals/CopyrightFormat and implement that
  proposal in your debian/copyright

- debian/watch is missing, it shouldn't be

- distributing version.txt as a documentation is pointless

- regression tests are not (necessarily (all)) good examples

Finally, I'm no Python-stuff packaging guru (that's why I didn't
package PyLZMA by myself in the first place), and I particularly I've
never used python-central (only python-support), so for a review of
that I'd prefer you to ask for comments on some debian/python mailing
list. Again, please Cc the RFP in doing so.

When all this gets solved, I'll be more than happy to sponsor an
upload.

Thanks in advance,
Cheers.

-- 
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Dietro un grande uomo c'è ..|  .  |. Et ne m'en veux pas si je te tutoie
sempre uno zaino ...........| ..: |.... Je dis tu à tous ceux que j'aime