Bug#1002856: RFP: openrgb -- Control RGB devices

To: Olek Wojnar <olek@debian.org>, 1002856@bugs.debian.org
Subject: Bug#1002856: RFP: openrgb -- Control RGB devices
From: Damyan Ivanov <dmn@debian.org>
Date: Sat, 10 Dec 2022 21:09:11 +0200
Message-id: <[🔎] 20221210190911.2jt2o564twzbvilq@fbd7c150-3361-11e8-8c11-5badabdd4a8d>
Reply-to: Damyan Ivanov <dmn@debian.org>, 1002856@bugs.debian.org
In-reply-to: <[🔎] f62a0006-c941-bebc-d57f-1c5cc952d1c0@debian.org>
References: <164085596823.396647.2864983691696794247.reportbug@alice.lan> <[🔎] f62a0006-c941-bebc-d57f-1c5cc952d1c0@debian.org> <164085596823.396647.2864983691696794247.reportbug@alice.lan>

-=| Olek Wojnar, 04.12.2022 21:25:04 -0500 |=-
> Hi there,
> 
> > I just had a quick look at the source code. The problem are the vendored
> > headers in the dependencies/ folder. Per debian policy they need to be
> > packaged themselves.
> 
> I was just looking at this package as well and I was a bit confused by your
> comment. What exactly are you seeing in the dependencies folder that would
> require separate library packages?

Basically everything that is not authored by the OpenRGB developers as 
part of OpenRGB? I would guess most of the content under dependencies 
is just copied from somewhere for convenience.

> Could you also please point me to the policy that requires this?

 4.13. Embedded code copies
 ==========================

 Some software packages include in their distribution convenience 
 copies of code from other software packages, generally so that users 
 compiling from source don’t have to download multiple packages. 
 Debian packages should not make use of these convenience copies 
 unless the included package is explicitly intended to be used in this 
 way.  [17]
 If the included code is already in the Debian archive in the form of 
 a library, the Debian packaging should ensure that binary packages 
 reference the libraries already in Debian and the convenience copy is 
 not used. If the included code is not already in Debian, it should be 
 packaged separately as a prerequisite if possible.  [18]

 [17] For example, parts of the GNU build system work like this.

 [18] Having multiple copies of the same code in Debian is 
      inefficient, often creates either static linking or shared 
      library conflicts, and, most importantly, increases the 
      difficulty of handling security vulnerabilities in the 
      duplicated code.

So it is not strictly required, but a strong recommendation:

 * The terms *should* and *should not*, and the adjective 
   *recommended*, denote best practices. Non-conformance with these 
   guidelines will generally be considered a bug, but will not 
   necessarily render a package unsuitable for distribution. These 
   statements correspond to bug severities of *important*, *normal*, 
   and *minor*. They are collectively called *Policy recommendations*.

If you go with the bundles, don't forget to add them to the security 
tracker at 
https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/embedded-code-copies



 -- Damyan, hoping for the best

Reply to:

References:
- Bug#1002856: RFP: openrgb -- Control RGB devices
  - From: Olek Wojnar <olek@debian.org>

Prev by Date: Bug#981304: marked as done (ITP: blop-lv2 -- Mike Rawes' LADSPA plugins ported to LV2)
Next by Date: Bug#981375: ITP: vivid -- `vivid` é um gerador para a variável de ambiente LS_COLORS.
Previous by thread: Bug#1002856: RFP: openrgb -- Control RGB devices
Next by thread: Bug#1025460: ITP: mock -- Build rpm packages inside a chroot
Index(es):
- Date
- Thread