Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Enrico Weigelt, metux IT consult]

On 11.04.19 09:44, Mo Zhou wrote:

> Different from that, duprkit's design don't hope to limit> the user with any 
> pre-defined "sequence", but enable the users to>
selectively call the functions they need. In other words, the> user can
define how to deal with the prepared source+debian directories,>
afterall the .durpkg header is a shell script. That said, I think> some
more helper functions would be nice: [1].
I'm still struggling to understand why simply using old-fashioned
./debian/rules file (possibly w/o using debhelper+friends) isn't
sufficient here.

AFAIK, all that tools like buildd do for actual build is calling that
rule file w/ some specific target names (eg. 'binary'). You can put in
anything you like here - it's just a makefile. Theoretically, you could
also use shellscript instead.

If you drop the idea of having everything in a single file in favour
of debian trees (= something that has the 'debian' subdirectory with
a 'rules' file in it), the existing debian toolchains could be used.

> My blueprint includes a very light-weight/simple dependency tracking> 
> mechanism. And I assume the project don't need to handle complex dep>
trees like apt. Because:> > 1. If a package is common and useful enough,
such that it has been>adopted by many other projects, why don't I
package it for the>official Debian release? So, I expect that most
packages that DUPR>will deal with, are actually leaf or near-leaf
packages on the>dependency tree.
Okay, that's a different topic. We have three options here:

a) put it into official debian repo. that would go the usual ways, but
   takes pretty long, until the next release is out and the desired
   audience actually uses it.

b) add it to backports repos. i'm not sure how the actual workflows
   and release timelines look here.

c) go the PPA route. here we'd need some repo-level dependency handling
   (not sure what tools exist here), and we'd have to coordinate between
   several PPAs

> 2. Some of my targeted upstreams do sourceless binary tarball release.>
> They seldom get into the dependency trouble...

When I have to touch those stuff, I basically always run into trouble.
Many subtle breaks, that are extremly hard to resolve (even to track
down). Those stuff I'm only doing in containers. Binary-only stuff is
not trustworthy at all, so it really should be strictly confined.

Those vendors (eg. Microsoft/Skype) also like to mess w/ package manager
configuration, have implicit dependencies like silly Lennartware, etc.
I never ever run such crap outside a strictly confined container.

One of the worst things I've ever seen is coming from National
Instruments (which don't support Debian anyways, just ancient RHEL)
Traditionally they only provided ridiculous installer programs
(just like they're used to from the dillettantic Windows world)
that do lots of really weird things, even messing w/ the kernel
(yeah, they still insist on binary-only kernel modules, that's
always broken-by-design).

Somewhere in last summer they learned what package repos are for,
well, just partially learned. They now messed w/ the repo configs and
installed a globally trusted package source with explicitly disabled
authentication and plain http. Boom - 0day !

Due to their long history of hostility, total bullshit and censorship in
their own "community", I've posted that @full-disclosure (even goverment
institutions like BSI called by for interviews on that matter - their
products also run in critical infrastructure like power plants). Again
it took several month for the issue to be migitated by NI.

> 3. Inserting a DUPR package into the near-root part of the Debian>
> dependency tree is, generally speaking, a terrible idea.>Only
those who aware of what they are doing will do this.
ACK. Those stuff belongs into throwaway-containers.

> The `bin/duprCollector` will collect meta information from a collection> (and 
> will form a dependency tree in the future). I have no plan to>
rethink about the "get-orig-source" target since there are ... lots> of
weird upstreams in my list...
Maybe we should talk about some of these cases, to get a better idea.

In general, we IMHO should rethink the workflows for creating the actual
buildable debian tree from upstream releases (in many packages that's
still pretty manual and hackish)


--mtx

-- 
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
i...@metux.net -- +49-151-27565287

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Enrico Weigelt, metux IT consult]

On 10.04.19 16:56, Helmut Grohne wrote:

Hi,

> I looked into this. Your reasons are sound and you are scratching your> itch. 
> This is great.
ACK. It's always good when people make their hands dirty and work on
solving actual problems. Even if the actual output (=code, etc) finally
doesn't get wide use or even thrown away completely, we still a lot
that way.

When I look back into my earlier years, I've written lots of things that
never have been actually used, but I've learned a lot that way.

> Your implementation goes straight from .durpkg -> .deb. I question this> 
> decision: We already have lots of tools to go from .dsc to .deb. Your>
implementation replicates part of that and I think, this is bad as it>
makes it harder to collaborate.
I did a similar decision w/ dck-buildpackage, because I came to the
conclusion that intermediate steps via dsc are just unncessary
complexity and slowdown. But the motivation of dck-buildpackage was
getting rid of complicated and cumbersome things like pbuilder.

So, I can understand to his decision - he probably doesn't need anything
from the dsc-based tools, as he's operating in a completely different
scope.

> Let me propose a rather intrusive interface change to duprkit. What if> the 
> result of building a .durpkg was a .dsc rather than a .deb? Then
you> could split duprkit into two tools:> >  * One tool to build source
packages from .durpkg files on demand.>  * One tool to build a specific
binary package from a given deb-src>repository.
Let me propose an even more consequent approach: let it operate even one
step earlier in the pipeline by just generating a debianized source
tree. You could then use the tool of your choice to create dsc from that
and put in whatever kind of pipeline you prefer. My personal choice here
would be dck-buildpackage, and my infrastructure ontop of that.

By the way, this opens up another common topic: how do we get from an
upstream tree (in git repo) to a debianzed source tree w/ minimal manual
efforts ?

> Now in principle, the latter is simply sbuild or pbuilder, but there is> more 
> to it:>  * Given the binary package name, figure out which source
package must>be built.

Yet another tricky issue. The primary data source for that usually are
the control files. But they also somethimes are autogenerated.

Could we invent some metadata language for this, that also can handle
tricky cases like the kernel ?

>  * Given that source package's Build-Depends, figure out what other>
> binary packages need to be built.>  * Recurse.>  * Build them in a
suitable order.

You're talking about building whole overlay repos ?
Then I might have something for you:

https://github.com/metux/deb-pkg

Note: it's still pretty hackish and needs some local per-project
customizations. Haven't had the time to make some general purpose
standalone package of it.

I'm just using it for building per private extra repos for my customers.

If anybody likes to join in and turn it into some general purpose
package, let's talk about that in a different thread. The first step
would be creating a decent command line interface (for now, the run-*
scripts are just project-specific dirty hacks to save me from typing
too much ;-)).

> (Some people will observe that this is the "bootstrap" problem. ;)

Not really bootstrap problem, but depenency problem. Easier to solve :p

> There is one major difficulty here (and duprkit doesn't presently solve> that 
> either): If you figure that some binary package is missing, you>
have no way of knowing which .durpkg file to build to get the relevant>
source package.

Yes, he'd have to reinvent the dependency handling. This is one of the
points that let me question the whole approach and favour completely
different approaches like classic containers.

> Now let's assume that you do want to allow complex dependencies in this
> user repository. In this case, it would make sense to trade .durpkg
> files for plain "debian" directories with an additional debian/rules
> target to obtain the source. (We removed "get-orig-source" from policy a
> while ago, but maybe this is what you want here.)

Sounds a good idea.

Maybe we should put this to a broader discussion, along w/ the control
file generation problem. My desired outcome of that would be a generic
way for fully automatically building everything from a debianzed source
tree (eg. git repo) within a minimal container/jail, w/o any other extra
configuration outside that source tree - even for those cases where the
control file needs to be generated, which again needs some deps.


--mtx

-- 
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
i...@metux.net -- +49-151-27565287

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Enrico Weigelt, metux IT consult]

On 10.04.19 03:53, Russ Allbery wrote:

Hi,

> Possibly my least favorite> thing about RPMs is the spec files, because by 
> smashing everything>
together into the same file, the syntax of that file is absurd.  This
bit> is a shell script!  This bit is a configuration file!  This bit is>
human-readable text!  This bit is a patch list!  This bit is a file>
manifest!  This bit is a structured changelog!  This bit is a bunch of>
preprocessor definitions!  Aie.
Same for me.

Certainly, deb and debian methods also have their downsides:

#1: text-based patches inside debian/ make everything unncessarily
complex, as soon as you're working w/ a decent VCS (eg. git).
their historical purpose is long obsoleted (since over a decade)

#2: for many common usecases, full-blown makefile is too much
complexity, and even w/ debhelper, knowing which variables have
to be set in which exact way, isn't entirely trivial.
some purely declarative rule file (eg. yaml) would make those very
common usecases much easier.

#3: when you have to generate the control file on the fly, things easily
get messy - i'm currently fighting here w/ packaging the kernel.
the problem is that this file contains the source package name and
source dependencies, which need to be known before the control file
can be generated. circular dependency.

I'm currently working around that by having a separate control file
(debian/control.bootstrap) which is used by my build machinery
(dck-buildpackage) in a separate preparation step, when control file
is missing.


But still, IMHO, the debian packaging toolstack is much superior to
anything else i've every encountered.


--mtx

-- 
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
i...@metux.net -- +49-151-27565287

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Shengjing Zhu]

On Sun, Apr 14, 2019 at 4:02 AM Thomas Goirand  wrote:
>
> On 4/8/19 7:16 PM, Shengjing Zhu wrote:
> >> from PPA (source+binary-based).
> >
> > If people just want a PPA which supports Debian, please just take a
> > look at OBS[1].
> >
> > I've seen many upstreams provide packages with OBS, and most
> > distributions are supported.
> > Not only deb, but also rpm, from Debian/Ubuntu to OpenSuse/Fedora, and
> > even Archlinux, in a uniform way.
> >
> > [1] https://build.opensuse.org/
>
> I don't see how OBS may help us. The proposal from Ganneff about
> bikesheds was much nicer (ie: using our already existing buildd and FTP
> infrastructure, and keeping our quality standard), than then path this
> thread is taking.
>
> If we are to propose sub-standard PPA like repositories, I would myself
> try to avoid them.

Who is "us"? If they are Debian {Developer, Maintainer, Contributor},
why they ever want to use PPA and its alternatives?

And I don't think OBS is much different from PPA, except one supports
build against Debian archive, another just Ubuntu.

PS, OBS here refers to the free service, not the OBS software.

-- 
Shengjing Zhu

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Thomas Goirand]

On 4/8/19 7:16 PM, Shengjing Zhu wrote:
>> from PPA (source+binary-based).
> 
> If people just want a PPA which supports Debian, please just take a
> look at OBS[1].
> 
> I've seen many upstreams provide packages with OBS, and most
> distributions are supported.
> Not only deb, but also rpm, from Debian/Ubuntu to OpenSuse/Fedora, and
> even Archlinux, in a uniform way.
> 
> [1] https://build.opensuse.org/

I don't see how OBS may help us. The proposal from Ganneff about
bikesheds was much nicer (ie: using our already existing buildd and FTP
infrastructure, and keeping our quality standard), than then path this
thread is taking.

If we are to propose sub-standard PPA like repositories, I would myself
try to avoid them.

Cheers,

Thomas Goirand (zigo)

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Paul Wise]

On Fri, Apr 12, 2019 at 3:27 PM Simon McVittie wrote:

> Flatpak treats /usr as immutable (with the exception of mounting
> "extensions" on pre-prepared empty directories) and mounts it read-only in
> the container. If it didn't, it wouldn't be able to use content-addressed
> storage (the storage can't be content-addressed if the content changes).
> In the usual way to use Flatpak, with a shared runtime for a family of
> related packages like "the GNOME apps", apps would end up accidentally
> or deliberately modifying each other's runtimes if they weren't read-only.

I expected the Flatpak /app directory to also be entirely read-only,
are there parts of /app that are not read-only?

> If the user-facing leaf package is really installed in the runtime, with
> a different runtime for each user-facing leaf package, you're right that
> the Flatpak app could mostly contain symlinks into /usr. A few metadata
> and integration files that get "exported" to the host system (such as
> .desktop files and icons) would have to be copied instead of symlinked,
> because the host system needs to be able to read those without entering
> the container.

It sounds like my idea might be a viable way to generate automatically
Flatpaks directly from leaf Debian packages then, thanks for the info.
I might at some point take a look at adding such a mode to flatdeb,
would you accept having that as an option?

> flatdeb installs apt/dpkg/essential, but then deletes apt, dpkg and ...

Yeah, I noticed that so I was glad when mmdebstrap's sub-essential
stuff came along.

> The matching SDK runtime that is used to compile apps

I don't know enough about SDKs in the Flatpak world, would they
contain something like the Build-Depends and their recursive deps?

> Instead of using sudo or ssh to a remote (usually virtual) machine to
> get root so that it can run debootstrap and dpkg, flatdeb now runs debos
> on the local machine.  This means it's root in debos' temporary qemu VM,
> and doesn't need privileges other than /dev/kvm access in the host system.

That sounds like a much better design.

> In principle there'd be nothing to stop debos from using something
> like user-mode-linux as an alternative to qemu/KVM.

I guess you could also use container tools like systemd-run with user
namespaces (once those are enabled by default)?

> One per desktop task, plus one for the Priority >= standard default
> CLI installation, would be quite a lot of data but could be good for
> bisecting, yes. I'd suggest doing this with debos, which has built-in
> support for committing trees to libostree and doesn't need root on the
> host system.

Cool, thanks for the information :)

--
bye,
pabs

https://wiki.debian.org/PaulWise

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Simon McVittie]

On Fri, 12 Apr 2019 at 10:49:57 +0800, Paul Wise wrote:
> Is there any reason that making /app a
> symlink to /usr (or a directory containing only links to /usr)
> wouldn't work inside Flatpak packages?

Flatpak treats /usr as immutable (with the exception of mounting
"extensions" on pre-prepared empty directories) and mounts it read-only in
the container. If it didn't, it wouldn't be able to use content-addressed
storage (the storage can't be content-addressed if the content changes).
In the usual way to use Flatpak, with a shared runtime for a family of
related packages like "the GNOME apps", apps would end up accidentally
or deliberately modifying each other's runtimes if they weren't read-only.

If the user-facing leaf package is really installed in the runtime, with
a different runtime for each user-facing leaf package, you're right that
the Flatpak app could mostly contain symlinks into /usr. A few metadata
and integration files that get "exported" to the host system (such as
.desktop files and icons) would have to be copied instead of symlinked,
because the host system needs to be able to read those without entering
the container.

> I had planned to do this using
> mmdebstrap, which now offers installation of Debian systems that don't
> have apt/dpkg/essential, by using the new dpkg root stuff.

flatdeb installs apt/dpkg/essential, but then deletes apt, dpkg and
a few other parts of essential/important that make little sense in a
single-user container (such as mount, adduser, passwd) with dpkg --purge
--force-depends --force-remove-essential before preparing the Platform
runtime that is used to run apps. The matching SDK runtime that is used
to compile apps still has the full set of packages.

It also deletes perl-base if perl isn't installed, and python-minimal
if python isn't installed.

> Hmm, last time you presented flatdeb, it wasn't using debos, how does
> debos get used in flatdeb now?

Instead of using sudo or ssh to a remote (usually virtual) machine to
get root so that it can run debootstrap and dpkg, flatdeb now runs debos
on the local machine.  This means it's root in debos' temporary qemu VM,
and doesn't need privileges other than /dev/kvm access in the host system.

In principle there'd be nothing to stop debos from using something
like user-mode-linux as an alternative to qemu/KVM.

> It might also be interesting to start importing the standard Debian
> installations into an OSTree archive

One per desktop task, plus one for the Priority >= standard default
CLI installation, would be quite a lot of data but could be good for
bisecting, yes. I'd suggest doing this with debos, which has built-in
support for committing trees to libostree and doesn't need root on the
host system.

smcv

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Paul Wise]

On Thu, Apr 11, 2019 at 7:01 PM Simon McVittie wrote:

> The "app" (directly-user-facing part) in a Flatpak package will be mounted
> on /app and so is expected to be built with --prefix=/app, so you can't
> reuse a compiled binary .deb unless it's for something that happens to be
> relocatable already. The runtime (chroot-like library stack to run apps)
> is built with --prefix=/usr, so it's usually easy to reuse binary .debs
> for that.

Has anyone done any rebuild testing to see how many packages hard-code
the prefix in their binaries?

Having to recompile everything once more for each "app" package seems
like a lot of extra CPU time. Is there any reason that making /app a
symlink to /usr (or a directory containing only links to /usr)
wouldn't work inside Flatpak packages? I had planned to do this using
mmdebstrap, which now offers installation of Debian systems that don't
have apt/dpkg/essential, by using the new dpkg root stuff. I was
blocked by the lack of a DPKG_CONFIG variable though, otherwise the
system dpkg config interferes with the process if you have certain
packages installed.

> https://gitlab.collabora.com/smcv/flatdeb builds Flatpak runtimes from
> an apt repository using debos and debootstrap.

Hmm, last time you presented flatdeb, it wasn't using debos, how does
debos get used in flatdeb now?

> The example runtime recipes provided with
> flatdeb are "Base" ... and "Games"

I still think one runtime per "app" package is the way to go.

It might also be interesting to start importing the standard Debian
installations into an OSTree archive, so we could do things like
bisect bugs between stable and current sid. As well as share files
between all the runtimes and apps.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Simon McVittie]

On Thu, 11 Apr 2019 at 09:54:47 +, Mo Zhou wrote:
> On Thu, Apr 11, 2019 at 09:26:15AM +0100, Simon McVittie wrote:
> > On Thu, 11 Apr 2019 at 07:44:30 +, Mo Zhou wrote:
> > It might be interesting to look at game-data-packager, which is another
> > tool that builds and optionally installs .deb files for data that is
> > not suitable for the Debian archive (in most cases not even for non-free),
> > without going via a .dsc or source package.
> 
> Any link please? Both apt-file-search and google found nothing.

https://tracker.debian.org/pkg/game-data-packager

It's in contrib.

> > I can't help thinking that a sandboxed app system like Flatpak or Snap
> > would be a better fit than .deb for leaf packages that have had minimal
> > or no review and don't really need to be part of the operating system.
> > For various reasons my preference is Flatpak (obviously, I wouldn't
> > maintain it otherwise) but I'm sure that proponents of Snap would tell
> > you that it should also be a candidate.
> 
> I don't have experience with Flatpak/Snap. However sandboxing sounds
> great.  Is there any existing work that helps one convert existing .deb
> into flatpack/snap format? I'd be glad to enable DUPR build Flatpack/Snap
> packages in the future, if possible.

If your goal is to turn something that is not in Debian into a Flatpak
app, going via a .deb seems an unnecessarily indirect route. Flatpak
already has the flatpak-builder package, which takes a JSON or YAML
manifest and uses it to build software from source, typically by cloning
from a git URL and compiling it in a special "SDK" container that has all
the necessary development tools. As with dpkg, the "source" can be a set
of binary blobs if that's all you have. The software to be downloaded
can be checked against hashes supplied by the maintainer of the Flatpak
app or runtime.

Flathub, the reference Flatpak repository, works by accepting
flatpak-builder manifests and building them. Flathub is analogous to the
role of Dockerhub in Docker, Github in the Go ecosystem, or Launchpad PPAs
in third-party addons for Ubuntu: Flatpak is a federated/decentralized
system in which anyone can run their own repository, a lot like apt,
but Flathub is the large "hub" repository used by anyone who doesn't
have a reason to host their project elsewhere.

Flatpak also has an "extra data" mechanism which downloads and manipulates
binary blobs directly from upstream on the end-user system without hosting
a copy on the Flatpak equivalent of an apt repository, which can be used
for binary blobs that the maintainer of the Flatpak app or runtime does
not have permission to redistribute. The main use case for this is (the
user-space part of) the proprietary Nvidia driver. Again, the binary
blobs are authenticated against hashes supplied by the maintainer of
the Flatpak app or runtime, so that only known-good versions are used.

I assume Snap has something similar to some or all of these but I don't
use it myself and don't know the details. My understanding is that Snap
is less federated/more centralized than Flatpak, but that might be
outdated information.

The "app" (directly-user-facing part) in a Flatpak package will be mounted
on /app and so is expected to be built with --prefix=/app, so you can't
reuse a compiled binary .deb unless it's for something that happens to be
relocatable already. The runtime (chroot-like library stack to run apps)
is built with --prefix=/usr, so it's usually easy to reuse binary .debs
for that.

https://gitlab.collabora.com/smcv/flatdeb builds Flatpak runtimes from
an apt repository using debos and debootstrap. The resulting runtimes
are a Debian-based alternative to the reference "freedesktop" runtimes
published on Flathub, which are either used directly by apps with lighter
dependencies, or used as the basis for the GNOME and KDE runtimes used by
apps with heavier dependencies. The example runtime recipes provided with
flatdeb are "Base", which is a minimal CLI system, and "Games", which can
run OpenArena (and probably nothing else yet).

flatdeb also supports building Flatpak apps from a binary .deb (assuming
its contents are relocatable) or an unpacked source package, but that part
isn't my focus right now and might have stopped working. The example app
recipes provided with flatdeb are hello, bash-static and mesa-utils (built
by unpacking a binary .deb that happens to be sufficiently relocatable),
and OpenArena (a hybrid approach, with ioquake3 and openarena rebuilt from
source, and the openarena-data family of packages unpacked and relocated).

For more information please see my Debconf 17 presentation, linked from
.

At the moment my focus in my work project is using flatdeb-built
runtimes for ad-hoc containers that share bubblewrap, Flatpak's
container-runner/sandbox helper, but do not actually use Flatpak. I'll try
to publish more information about this when it goes into production 

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Andrey Rahmatullin]

On Thu, Apr 11, 2019 at 09:54:47AM +, Mo Zhou wrote:
> Any link please? Both apt-file-search and google found nothing.
It's in contrib.
https://tracker.debian.org/pkg/game-data-packager

-- 
WBR, wRAR


signature.asc
Description: PGP signature

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Mo Zhou]

Hi,

On Thu, Apr 11, 2019 at 09:26:15AM +0100, Simon McVittie wrote:
> On Thu, 11 Apr 2019 at 07:44:30 +, Mo Zhou wrote:
> It might be interesting to look at game-data-packager, which is another
> tool that builds and optionally installs .deb files for data that is
> not suitable for the Debian archive (in most cases not even for non-free),
> without going via a .dsc or source package.

Any link please? Both apt-file-search and google found nothing.

> If I had enough free time, my long-term plan for g-d-p is to make
> it optionally produce Flatpak apps or extensions (based on either
> the reference "freedesktop" runtimes available on Flathub, or a new
> Debian-provided runtime) instead of .deb files, to make it easier to run
> its supported games in a sandbox to mitigate any security vulnerabilities
> that they might have.
>
> I can't help thinking that a sandboxed app system like Flatpak or Snap
> would be a better fit than .deb for leaf packages that have had minimal
> or no review and don't really need to be part of the operating system.
> For various reasons my preference is Flatpak (obviously, I wouldn't
> maintain it otherwise) but I'm sure that proponents of Snap would tell
> you that it should also be a candidate.

I don't have experience with Flatpak/Snap. However sandboxing sounds
great.  Is there any existing work that helps one convert existing .deb
into flatpack/snap format? I'd be glad to enable DUPR build Flatpack/Snap
packages in the future, if possible.

> > afterall the .durpkg header is a shell script
> 
> I'm sure the costs and benefits are different for your use case, but as
> a data point: game-data-packager used to have an ad-hoc shell script per
> supported game. It has been *much* nicer to maintain since its redesign
> as a Python program that reads declarative recipes.

I've ever thought about providing a Python interface in duprkit, such
that a .durpkg can be either
  (shell script) + (HFT part)
or
  (python script) + (HFT part)

I hesitate to move forward on that direction because not everybody
can write python; but everyone who types commands in the terminal
can write basic shell.
 
> What proportion of AUR users do you think genuinely do this?
> 
> What proportion of AUR users do you think are sufficiently experienced
> to be able to recognise malicious code in a packaging recipe or an
> upstream release?

TBH IDK. Umm... At least I'm not blindly accepting PRs to the
DefaultCollection.

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Simon McVittie]

On Thu, 11 Apr 2019 at 07:44:30 +, Mo Zhou wrote:
> On Wed, Apr 10, 2019 at 04:56:51PM +0200, Helmut Grohne wrote:
> > It seems that a key aspect of this thing is avoiding to (re)distribute
> > sources.

It might be interesting to look at game-data-packager, which is another
tool that builds and optionally installs .deb files for data that is
not suitable for the Debian archive (in most cases not even for non-free),
without going via a .dsc or source package.

Some key differences:

* game-data-packager recipes are part of its source code. Each version
  uploaded to Debian contrib supports a fixed set of games.

* game-data-packager normally only has a trivial "compilation" step,
  although for Quake II expansions (what we'd now call DLC) it does need to
  compile C code.

* game-data-packager doesn't expect users to review the recipes that build
  its packages. They're reviewed by a DD (in practice, me) before entering
  a release. For games that contain executable code (Quake II expansions),
  I also review the changes to that executable code whenever I update to a
  new version.

* game-data-packager has this design principle: if a component can have
  bugs, and they are bugs that Debian can (technically and legally)
  fix, then we try to put that component in the Debian contrib apt
  archive, not in the game-data-packager-produced .deb. For example,
  quake3.desktop and unreal.desktop can easily have bugs (missing
  translations or Keywords or similar), and they were written by Debian
  contributors under a Free Software license, so we put them in quake3.deb
  and game-data-packager-runtime.deb (respectively) in the Debian contrib
  apt archive, not in the quake3-data.deb and unreal-gold.deb produced
  by g-d-p.

* game-data-packager recipes are declarative (YAML) and don't attempt to
  be compatible with the full generality of Debian packaging. Individual
  games can have "plugins" to provide imperative build/packaging steps,
  but those are part of game-data-packager's source code.

If I had enough free time, my long-term plan for g-d-p is to make
it optionally produce Flatpak apps or extensions (based on either
the reference "freedesktop" runtimes available on Flathub, or a new
Debian-provided runtime) instead of .deb files, to make it easier to run
its supported games in a sandbox to mitigate any security vulnerabilities
that they might have.

I can't help thinking that a sandboxed app system like Flatpak or Snap
would be a better fit than .deb for leaf packages that have had minimal
or no review and don't really need to be part of the operating system.
For various reasons my preference is Flatpak (obviously, I wouldn't
maintain it otherwise) but I'm sure that proponents of Snap would tell
you that it should also be a candidate.

> afterall the .durpkg header is a shell script

I'm sure the costs and benefits are different for your use case, but as
a data point: game-data-packager used to have an ad-hoc shell script per
supported game. It has been *much* nicer to maintain since its redesign
as a Python program that reads declarative recipes.

> > I don't think I would start using such a user repository. I'm much too
> > scared about it. 
> 
> Understand. The nature of AUR is similar: every user is recommened to
> review the code before execution to confirm safety.

What proportion of AUR users do you think genuinely do this?

What proportion of AUR users do you think are sufficiently experienced
to be able to recognise malicious code in a packaging recipe or an
upstream release?

smcv

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Mo Zhou]

Hi Helmut,

Thank you very much for the detailed review! :-)

On Wed, Apr 10, 2019 at 04:56:51PM +0200, Helmut Grohne wrote:
> It seems that a key aspect of this thing is avoiding to (re)distribute
> sources. You give good reasons for why this is needed and I see no need
> to reiterate or discuss them.

Indeed.

> Your implementation goes straight from .durpkg -> .deb. I question this
> decision: We already have lots of tools to go from .dsc to .deb. Your
> implementation replicates part of that and I think, this is bad as it
> makes it harder to collaborate.
> 
> Let me propose a rather intrusive interface change to duprkit. What if
> the result of building a .durpkg was a .dsc rather than a .deb? Then you
> could split duprkit into two tools:
> 
>  * One tool to build source packages from .durpkg files on demand.
>  * One tool to build a specific binary package from a given deb-src
>repository.
> 
> Now in principle, the latter is simply sbuild or pbuilder, but there is
> more to it:
>  * Given the binary package name, figure out which source package must
>be built.
>  * Given that source package's Build-Depends, figure out what other
>binary packages need to be built.
>  * Recurse.
>  * Build them in a suitable order.
> 
> (Some people will observe that this is the "bootstrap" problem. ;)

Good point! This is easy to improve. And this suggestion is actually
not intrusive at all. AUR's PKGBUILD builder sources the PKGBUILD
file for variables and some functions, then execute a pre-defined
sequence. Different from that, duprkit's design don't hope to limit
the user with any pre-defined "sequence", but enable the users to
selectively call the functions they need. In other words, the
user can define how to deal with the prepared source+debian directories,
afterall the .durpkg header is a shell script. That said, I think
some more helper functions would be nice: [1].
 
> There is one major difficulty here (and duprkit doesn't presently solve
> that either): If you figure that some binary package is missing, you
> have no way of knowing which .durpkg file to build to get the relevant
> source package.

My blueprint includes a very light-weight/simple dependency tracking
mechanism. And I assume the project don't need to handle complex dep
trees like apt. Because:

1. If a package is common and useful enough, such that it has been
   adopted by many other projects, why don't I package it for the
   official Debian release? So, I expect that most packages that DUPR
   will deal with, are actually leaf or near-leaf packages on the
   dependency tree.

2. Some of my targeted upstreams do sourceless binary tarball release.
   They seldom get into the dependency trouble...

3. Inserting a DUPR package into the near-root part of the Debian
   dependency tree is, generally speaking, a terrible idea.
   Only those who aware of what they are doing will do this.

The simple dep tracking mechanism will be implemented following
the Collection-Manifest collection functionality. Everything
looks fine so far, and I'll package more stuff to see whether
the assumption/blueprint is correct.

> Before tackling that problem, the question arises of whether that
> problem is in scope. Does duprkit really want to handle complex
> dependencies or is the idea really to just get the stuff into users
> hands? 

No. As explained above.

> In the latter case, vendoring likely is a simple way to avoid
> this problem entirely.

Agreed.
 
> Now let's assume that you do want to allow complex dependencies in this
> user repository. In this case, it would make sense to trade .durpkg
> files for plain "debian" directories with an additional debian/rules
> target to obtain the source. (We removed "get-orig-source" from policy a
> while ago, but maybe this is what you want here.)

The `bin/duprCollector` will collect meta information from a collection
(and will form a dependency tree in the future). I have no plan to
rethink about the "get-orig-source" target since there are ... lots
of weird upstreams in my list...

> If you go this route, you can just scrape those debian/control files to
> figure out which .durpkg files to convert into .dsc files.

It will be easy to unfold all .durpkg files into prepared debian/
directories, which makes meta info collection straightforward.
To be implemented: [2]
 
> I don't think I would start using such a user repository. I'm much too
> scared about it. 

Understand. The nature of AUR is similar: every user is recommened to
review the code before execution to confirm safety.

> Yet, the second part of the problem seems interesting
> to me: Taking a (possibly local) repository of source packages and
> building a specific binary package (plus everything that's needed to get
> there). I think that you can increase collaboration by changing your
> interface in a way that makes it easier to reuse in other settings.

This is also a good point. At this point I think taking advantages
from sbuild would ne 

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Mo Zhou]

Hi,

On Thu, Apr 11, 2019 at 08:40:07AM +0200, Thomas Goirand wrote:
> On 4/7/19 4:34 PM, Mo Zhou wrote:
> > I as the
> > initiator of the idea would definitely take action if I got enough
> > positive feedbacks.
> 
> Great! Go ahead, and get in touch with the FTP team.

Much progress has been made for the prototype, it gradually gets more
and more features / functionalities:
https://github.com/dupr/duprkit/releases

And I'm an FTP Trainee :-)
It may sounds funny that a guy who review packages regarding Debian's
high quality standard had proposed such a surprisingly standard-ignoring
packaging motivation. However it is nice to allow one to create
working packages with as less effort as possible.

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Thomas Goirand]

On 4/7/19 4:34 PM, Mo Zhou wrote:
> Hi,
> 
> The problem is not "who is responsible for implementing this", but "is
> this valuable enough to implement".

Opposite way. The problem is who's implementing. We all know this has a
lot of values.

> If a group of people think it worthwhile to do something

I believe everybody think it is.

> I as the
> initiator of the idea would definitely take action if I got enough
> positive feedbacks.

Great! Go ahead, and get in touch with the FTP team.

Cheers,

Thomas Goirand (zigo)

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Helmut Grohne]

Hi Mo,

On Mon, Apr 08, 2019 at 11:18:14AM +, Mo Zhou wrote:
> The proposed idea is to take some advantages from source-based
> software distribution tools. Examples are available here:
> https://github.com/dupr/duprkit
> https://github.com/dupr/DefaultCollection

I looked into this. Your reasons are sound and you are scratching your
itch. This is great.

It seems that a key aspect of this thing is avoiding to (re)distribute
sources. You give good reasons for why this is needed and I see no need
to reiterate or discuss them.

Your implementation goes straight from .durpkg -> .deb. I question this
decision: We already have lots of tools to go from .dsc to .deb. Your
implementation replicates part of that and I think, this is bad as it
makes it harder to collaborate.

Let me propose a rather intrusive interface change to duprkit. What if
the result of building a .durpkg was a .dsc rather than a .deb? Then you
could split duprkit into two tools:

 * One tool to build source packages from .durpkg files on demand.
 * One tool to build a specific binary package from a given deb-src
   repository.

Now in principle, the latter is simply sbuild or pbuilder, but there is
more to it:
 * Given the binary package name, figure out which source package must
   be built.
 * Given that source package's Build-Depends, figure out what other
   binary packages need to be built.
 * Recurse.
 * Build them in a suitable order.

(Some people will observe that this is the "bootstrap" problem. ;)

There is one major difficulty here (and duprkit doesn't presently solve
that either): If you figure that some binary package is missing, you
have no way of knowing which .durpkg file to build to get the relevant
source package.

Before tackling that problem, the question arises of whether that
problem is in scope. Does duprkit really want to handle complex
dependencies or is the idea really to just get the stuff into users
hands? In the latter case, vendoring likely is a simple way to avoid
this problem entirely.

Now let's assume that you do want to allow complex dependencies in this
user repository. In this case, it would make sense to trade .durpkg
files for plain "debian" directories with an additional debian/rules
target to obtain the source. (We removed "get-orig-source" from policy a
while ago, but maybe this is what you want here.)

If you go this route, you can just scrape those debian/control files to
figure out which .durpkg files to convert into .dsc files.

I don't think I would start using such a user repository. I'm much too
scared about it. Yet, the second part of the problem seems interesting
to me: Taking a (possibly local) repository of source packages and
building a specific binary package (plus everything that's needed to get
there). I think that you can increase collaboration by changing your
interface in a way that makes it easier to reuse in other settings.

Helmut

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Sam Hartman]

> "Marc" == Marc Haber  writes:

Marc> On Wed, 10 Apr 2019 03:17:39 +, Mo Zhou  wrote:
>> The design of .durpkg is permissive enough because the header
>> part, i.e.  the shell script is fully controled by the user. In
>> this shell script, one could just copy the nearby debian
>> directory to the root dir of source tree, and/or optionally
>> unfold the trailing HFT[1] part.  Without the HFT part, every
>> file will only have one syntax.  Template with an auxiliary
>> debian/ directory is missing but that doesn't mean it's not
>> supported.

Marc> Is there a vim mode (folding, syntax hilight) for that file
Marc> type? If not, then this format has a _significant_
Marc> disadvantage over the way we have been doing things for two
Marc> decades.

I think Russ has a good point here.  There are some people who prefer
the single file format and some people who prefer the directory.
The current discussion is sounding a lot like sniping and if it were
directed at me I'd find it really frustrating.

It seems an area where it matters to the people contributing to the
project and basically no one else.
As a non-vim user, for example, I find the lack of vim syntax hilight
entirely irrelevant.
As someone who isn't likely to contribute to this project, my opinion
shouldn't matter anyway.
Mo has already indicaded that you can package up directories rather than
files.  If you're interested in the project but would prefer to use that
format, then go do that and submit PRs.
If there are specific packages in the project you'd like to improve but
the format of that package makes it something you don't want to work on,
then give Mo that feedback.

Otherwise, I'd encourage you to let the issue rest.

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Mo Zhou]

Hi,

On Wed, Apr 10, 2019 at 09:46:28AM +0200, Marc Haber wrote:
> On Wed, 10 Apr 2019 03:17:39 +, Mo Zhou  wrote:
> >The design of .durpkg is permissive enough because the header part, i.e.
> >the shell script is fully controled by the user. In this shell script,
> >one could just copy the nearby debian directory to the root dir of
> >source tree, and/or optionally unfold the trailing HFT[1] part.
> >Without the HFT part, every file will only have one syntax.
> >Template with an auxiliary debian/ directory is missing but that
> >doesn't mean it's not supported.
> 
> Is there a vim mode (folding, syntax hilight) for that file type? If
> not, then this format has a _significant_ disadvantage over the way we
> have been doing things for two decades.

As a vim user, I'd love to explore the syntax script for HFT format,
although I have little knowledge about vim scripting. The issue is
tracked here[1], and the vim syntax looks possible to implement
according to some links there.

The HFT format is supposed to work like sort of "plain text tar".  I
also planned to add file mode support. Due to the nature of the HFT
format, one can actually complete the debian/ directory first, then pack
it into the HFT format and append the HFT file to the .durpkg.  When
editing the debian/ files in .durpkg feels bad, one can temporarily
unfold the HFT part into the debian/ directory and edit. See [2].
Or one can just keep the debian/ directory unfolded.

Anyway, it would be much better if a vim syntax for HFT is available.
And it would be much appreciated if any vim expert can point me the
shortest path to implement that :-)

[1] https://github.com/dupr/duprkit/issues/40
[2] See point.2 at https://github.com/dupr/duprkit#create-new-recipe

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Marc Haber]

On Wed, 10 Apr 2019 03:17:39 +, Mo Zhou  wrote:
>The design of .durpkg is permissive enough because the header part, i.e.
>the shell script is fully controled by the user. In this shell script,
>one could just copy the nearby debian directory to the root dir of
>source tree, and/or optionally unfold the trailing HFT[1] part.
>Without the HFT part, every file will only have one syntax.
>Template with an auxiliary debian/ directory is missing but that
>doesn't mean it's not supported.

Is there a vim mode (folding, syntax hilight) for that file type? If
not, then this format has a _significant_ disadvantage over the way we
have been doing things for two decades.

Greetings
Marc
-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | 
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Mo Zhou]

Hi,

On Tue, Apr 09, 2019 at 06:53:44PM -0700, Russ Allbery wrote:
> Mo Zhou  writes:
> 
> This is one of those vi vs. Emacs things: I don't think you're going to
> convince anyone who prefers it the other way.  Possibly my least favorite
> thing about RPMs is the spec files, because by smashing everything
> together into the same file, the syntax of that file is absurd.  This bit
> is a shell script!  This bit is a configuration file!  This bit is
> human-readable text!  This bit is a patch list!  This bit is a file
> manifest!  This bit is a structured changelog!  This bit is a bunch of
> preprocessor definitions!  Aie.
> 
> One syntax per file, please.

The design of .durpkg is permissive enough because the header part, i.e.
the shell script is fully controled by the user. In this shell script,
one could just copy the nearby debian directory to the root dir of
source tree, and/or optionally unfold the trailing HFT[1] part.
Without the HFT part, every file will only have one syntax.
Template with an auxiliary debian/ directory is missing but that
doesn't mean it's not supported.

I'll keep in mind to carefully consider different user preferences,
and possibly also provide different templates.

[1] https://github.com/dupr/duprkit/blob/master/bin/hft

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Russ Allbery]

Mo Zhou  writes:

> Plus, it's super important to write every packaging bit into a single
> file. That would enable simple copy from github or any other
> resources. If you provide a directory, things will become more
> complicated. More impotantly, the proposed single file specification
> virtually adds NO overhead.

This is one of those vi vs. Emacs things: I don't think you're going to
convince anyone who prefers it the other way.  Possibly my least favorite
thing about RPMs is the spec files, because by smashing everything
together into the same file, the syntax of that file is absurd.  This bit
is a shell script!  This bit is a configuration file!  This bit is
human-readable text!  This bit is a patch list!  This bit is a file
manifest!  This bit is a structured changelog!  This bit is a bunch of
preprocessor definitions!  Aie.

One syntax per file, please.

-- 
Russ Allbery (r...@debian.org)   

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Marvin Renich]

* Vincent Bernat  [190409 01:26]:
>  ❦  9 avril 2019 08:41 +10, Ben Finney :
> 
> >> >> yes, it can be done, but it is a lot more work for individual
> >> >> packagers.
> >> >
> >> > Sure. And, on the other hand, providing an APT repository for arbitrary
> >> > packages of unknown copyright status is also a lot of work to expect
> >> > disinterested volunteers to do without motivation.
> >>
> >> Disinterested volunteers are never forced to work for Debian.
> >
> > Yes, that's why I said “expect” and not “force”.
> 
> Being forced is the definition of expect.
> 
> "to consider bound in duty or obligated they expect you to pay your
> bills" 

No, "expect" means that one person has a belief that another person has
some obligation (note the word "consider" in the definition you quoted).
An expectation does not need to, and very often does not, have any
coercion ("force") associated with it.  Expectations are often not met,
and are sometimes not even reasonable.

> >> What is the point of being so negative?
> >
> > Not sure who you're addressing here, and I'm sorry if the discussion
> > appears negative to you.
> 
> I am addressing you. You try to dissuade people on the basis this is
> work you are not interested to do. If someone was implementing PPA/DPA,
> what would be the downside for people not interested in them? None. You
> can just ignore the feature.

I don't believe he was being negative.  Combining the paragraph you
quoted with his next paragraph, I interpreted it as "Your idea may not
align with the principles of the Debian project as a whole, but you seem
to have enough capable developers who are interested in your idea to
implement it outside of Debian."

That sounded constructive and encouraging, while redirecting away from a
solution that he did not believe would (or should?) work for reasons
related to the ideals of the project.

...Marvin

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Vincent Bernat]

 ❦  9 avril 2019 08:41 +10, Ben Finney :

>> >> yes, it can be done, but it is a lot more work for individual
>> >> packagers.
>> >
>> > Sure. And, on the other hand, providing an APT repository for arbitrary
>> > packages of unknown copyright status is also a lot of work to expect
>> > disinterested volunteers to do without motivation.
>>
>> Disinterested volunteers are never forced to work for Debian.
>
> Yes, that's why I said “expect” and not “force”.

Being forced is the definition of expect.

"to consider bound in duty or obligated they expect you to pay your
bills" 

>> What is the point of being so negative?
>
> Not sure who you're addressing here, and I'm sorry if the discussion
> appears negative to you.

I am addressing you. You try to dissuade people on the basis this is
work you are not interested to do. If someone was implementing PPA/DPA,
what would be the downside for people not interested in them? None. You
can just ignore the feature.
-- 
Must I hold a candle to my shames?
-- William Shakespeare, "The Merchant of Venice"


signature.asc
Description: PGP signature

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Ben Finney]

Vincent Bernat  writes:

>  ❦  8 avril 2019 14:46 +10, Ben Finney :
>
> >> yes, it can be done, but it is a lot more work for individual
> >> packagers.
> >
> > Sure. And, on the other hand, providing an APT repository for arbitrary
> > packages of unknown copyright status is also a lot of work to expect
> > disinterested volunteers to do without motivation.
>
> Disinterested volunteers are never forced to work for Debian.

Yes, that's why I said “expect” and not “force”.

> What is the point of being so negative?

Not sure who you're addressing here, and I'm sorry if the discussion
appears negative to you.

-- 
 \  “When I get real bored, I like to drive downtown and get a |
  `\ great parking spot, then sit in my car and count how many |
_o__)people ask me if I'm leaving.” —Steven Wright |
Ben Finney

RE:RE:[Idea] Debian User Repository? (Not simply mimicing AUR)

[PICCA Frederic-Emmanuel]

After a build, you get this 

https://salsa.debian.org/science-team/python-xrayutilities/-/jobs/147913/artifacts/browse/debian/output/

Is it enought for you.
Mayve you can discuss with the salsa pipeline team and request a target in 
order to produce a better repo.

cheers

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Ansgar]

Paul Wise writes:
> On Mon, Apr 8, 2019 at 3:34 PM Mo Zhou wrote:
>
>> However, the translator itself is not trivial, as it might need
>> it's own shell parser or something alike to be reliable enough.
>
> Couldn't you just run makepkg (with some hooks) and dpkg-deb to
> convert the results to Debian packages?

How should this handle dependencies (probably named differently in
Debian) or maintainer scripts?

Tools like `alien` to convert RPM and Debian packages have similar
limitations and I don't remember them working that well.

Ansgar

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Shengjing Zhu]

> from PPA (source+binary-based).

If people just want a PPA which supports Debian, please just take a
look at OBS[1].

I've seen many upstreams provide packages with OBS, and most
distributions are supported.
Not only deb, but also rpm, from Debian/Ubuntu to OpenSuse/Fedora, and
even Archlinux, in a uniform way.

[1] https://build.opensuse.org/


--
Shengjing Zhu

Re: RE:[Idea] Debian User Repository? (Not simply mimicing AUR)

[Kyle Edwards]

On Mon, 2019-04-08 at 16:05 +, PICCA Frederic-Emmanuel wrote:
> now we have the salsa pipeline.
> 
> does it fit your needs ?

Does this allow non-DD's to host packages? Nobody at Kitware is a DD,
we just host an unofficial third-party repository, similar to PPA.

Kyle

RE:[Idea] Debian User Repository? (Not simply mimicing AUR)

[PICCA Frederic-Emmanuel]

now we have the salsa pipeline.

does it fit your needs ?

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Kyle Edwards]

On Mon, 2019-04-08 at 00:02 -0400, Peter Silva wrote:
> > If one needs to keep a close eye on changes to make sure they can
> > still
> > be installed even on a years-old OS, the resulting packages can be
> > placed in a custom repository set up with the instructions at
> > https://wiki.debian.org/DebianRepository/Setup>;. What am I
> > missing?
> > 
> yes, it can be done, but it is a lot more work for individual
> packagers.
> 
> launchpad.net combines:
>    - very few clicks to build custom repositories.
>    - a build environment for each OS, so that it runs "debuild" in
> the currently patched version of the OS for which the package it
> built.
> 
> It saves people from having to build their own custom repository, and
> from having to maintain a build environment for all supported OS
> versions and architectures.  on Ubuntu,  packages are built for
> 14.04, 16,04, 18.04, 18.10, 19.04, and I get all those just from
> clicking one box for each one. I think it also propagates re-building 
> of packages when a build-dependency changes, without my knowledge or
> interaction.  It leverages the ubuntu build-farm for third-party
> packages.
> 
> With debian, it's kind of all or nothing.  Etiher you're in Debian,
> and it gets built on every platform using the build farm, or it's
> not, so you get no help at all. Launchpad gives a nice middle road
> that suits us right now, and if something similar were available for
> debian, it would provide a stepping stone to being in Debian proper.
CMake and VTK upstream here. This was my exact observation a while back
when I tried to package VTK for Debian and Ubuntu. Packaging for Ubuntu
was very easy: just upload your packaging script to launchpad.net and
you're done. For Debian, I had to set up a build machine and an Aptly
repository on a virtual machine that pulls in built packages from
"incoming", inserts them into the Aptly repo, and rsyncs them to a web
server, basically mimicking what the Debian repo infrastructure does.
This was non-trivial to set up, and I found it frustrating that
Launchpad-like infrastructure did not exist for Debian. (Building lots
of packages is easy once you have the infrastructure, but the initial
investment is rather high.) Just my $0.02.
Kyle

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Alf Gaida]

DUR is fine, DPA is fine PPA is not - as it is used before in a totally 
different context.


The idea just to require git is really nice, putting all the things into 
a single file is not. Not even Arch does it. (patches, install, config 
...) - so the default debian dir should be enough.


Please think a bit further - which files are really needed?
* control
* rules
* watch

There was discussions to make rules obsolete in standard packages - if 
there is no rules file, just assume/use the default. compat is obsoleted 
if one use debhelper-compat, copyright would be nice to have, but might 
not be needed for a possible dur. Same for all other things.


Things become a bit different if one want to use patches. So why don't 
use the debian standards. Same for packages that result in more than one 
binary package.


If anything else fails just add a file with a special set of things for 
the DUR/DPA - should be dead easy, i use something similar for years now 
to build things from several git sources.


Cheers Alf

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Jonathan Dowland]

On Mon, Apr 08, 2019 at 11:18:14AM +, Mo Zhou wrote:

The proposed idea is source-only-based, and is totally different
from PPA (source+binary-based). I'm a PPA user and I don't have
any reason to re-invent yet another PPA.


Sorry I appreciate that *your* idea is different, and effectively
my sub-thread is a hijack, but to be clear what I was referring to
was the naming of the pre-existing "Bikeshed" proposal for Debian,
which is equivalent to PPAs.

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Mo Zhou]

Hi,

On Mon, Apr 08, 2019 at 01:59:04PM +0200, W. Martin Borgert wrote:
> Quoting Mo Zhou :
> > Plus, letting users write PKGBUILD doesn't help them learn
> > Debian packaging at all...
> 
> Then I would try to diverge as little as possible
> from the classical way how Debian packaging works.
 
If you didn't read the code of fold/unfold and don't understand
why I declare that the cost of the proposed single-file format
has nearly zero-cost, please refer to the traditional style
alternative:

https://github.com/dupr/DefaultCollection/tree/master/rover-traditional
I expect no one to argue about this "traditional" style.
This "traditional" style is exactly what you do for the
official debian development, in the "debian-directory-only"
git workflow.

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Mo Zhou]

On Mon, Apr 08, 2019 at 03:50:19PM +0300, Tzafrir Cohen wrote:
> Hi,
> 
> The README states a directory structure with a top-level collection
> directory, but the repository currently does not include one.

The github.com:dupr/DefaultCollection.git repo is indeed a specification
compliant if you mangle the first layer of directory structure.

```
--- a/README
+++ b/README
@@ -17,7 +17,7 @@ name. Plus, no one prevents you from submitting a debian 
directory.

 For example:

-A-Certain-Collection/
+A-Certain-Collection/  # For example, this git repository.
 library-foo/
 library-foo.durpkg
 library-foo-ubuntu.durpkg
```

> Looking at:
> 
> 
> https://github.com/dupr/DefaultCollection/blob/master/rover/rover.durpkg
> 
> I see that the name of the directory repeats quite a number of times.
> The clean function needs to state 'rm -rf' explicitly, which I hope
> won't lead to typos.

The repetition of "pushd" and "popd" is something that could be improved
later. So the same as the 'rm -rf' hook. The two problems have been
tracked here:
https://github.com/dupr/duprkit/issues/3
https://github.com/dupr/duprkit/issues/4

Please don't expect too much from a prototype rushed within several
hours. That's used for presenting the idea instead of presenting
a graceful implementation.

> The changelog is buried deep inside the package an needs to be updated
> whenever a version number is bumped.

AUR's PKGBUILD doesn't record changes. If you feel like that the dch
has been deeply buried, the usage of traditional debian/ directory
layout is still supported:
https://github.com/dupr/DefaultCollection/tree/master/rover-traditional
https://github.com/dupr/DefaultCollection/blob/master/rover-traditional/debian/changelog

One could easity convert the packaging between single-file format and
debian/ directory with a single-command-cost (virtually zero-cost).

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Tzafrir Cohen]

Hi,


On 08/04/2019 14:18, Mo Zhou wrote:
> Hi,
>
> The proposed idea is source-only-based, and is totally different
> from PPA (source+binary-based). I'm a PPA user and I don't have
> any reason to re-invent yet another PPA.
>
> The proposed idea is to take some advantages from source-based
> software distribution tools. Examples are available here:
> https://github.com/dupr/duprkit
> https://github.com/dupr/DefaultCollection

The README states a directory structure with a top-level collection
directory, but the repository currently does not include one.


Looking at:


https://github.com/dupr/DefaultCollection/blob/master/rover/rover.durpkg


I see that the name of the directory repeats quite a number of times.
The clean function needs to state 'rm -rf' explicitly, which I hope
won't lead to typos.


The changelog is buried deep inside the package an needs to be updated
whenever a version number is bumped.


-- Tzafrir

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Roberto C . Sánchez]

On Mon, Apr 08, 2019 at 12:29:56PM +, Mo Zhou wrote:
> Hi,
> 
> On Mon, Apr 08, 2019 at 08:18:53AM -0400, Roberto C. Sánchez wrote:
> > On Mon, Apr 08, 2019 at 06:49:10AM +, Mo Zhou wrote:
> > > Hi,
> > > 
> > > As you wish, I added a disclaimer to the toolkit, and replaced every
> > > single "Debian" keyword in the repo with "D**ian", except for those
> > > in disclaimer.
> > 
> > Perhaps using ".deb" instead of "Debian" or "D**ian" might be more
> > practical.  After all, the whole exercise seems to be more focused on
> > the packaging and distribution of said packages, rather than "Debian the
> > GNU/Linux distribution" as a project.  If there are places where the
> > leading dot might be impractical or confusing, then perhaps "dotdeb" or
> > "dot-deb" might be more workable.
> 
> However the idea involves no distribution of any single ".deb" file.
> That's more likely a "User Recipe Repository", instead of a "User dishes
> Repository". People will ask "where on earth are your .deb files?" if
> I put ".deb" to the title.
> 
OK.  Thanks for the explanation.  It seems like I did not properly grasp
that aspect of it.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Mo Zhou]

Hi,

On Mon, Apr 08, 2019 at 08:18:53AM -0400, Roberto C. Sánchez wrote:
> On Mon, Apr 08, 2019 at 06:49:10AM +, Mo Zhou wrote:
> > Hi,
> > 
> > As you wish, I added a disclaimer to the toolkit, and replaced every
> > single "Debian" keyword in the repo with "D**ian", except for those
> > in disclaimer.
> 
> Perhaps using ".deb" instead of "Debian" or "D**ian" might be more
> practical.  After all, the whole exercise seems to be more focused on
> the packaging and distribution of said packages, rather than "Debian the
> GNU/Linux distribution" as a project.  If there are places where the
> leading dot might be impractical or confusing, then perhaps "dotdeb" or
> "dot-deb" might be more workable.

However the idea involves no distribution of any single ".deb" file.
That's more likely a "User Recipe Repository", instead of a "User dishes
Repository". People will ask "where on earth are your .deb files?" if
I put ".deb" to the title.

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Roberto C . Sánchez]

On Mon, Apr 08, 2019 at 06:49:10AM +, Mo Zhou wrote:
> Hi,
> 
> As you wish, I added a disclaimer to the toolkit, and replaced every
> single "Debian" keyword in the repo with "D**ian", except for those
> in disclaimer.

Perhaps using ".deb" instead of "Debian" or "D**ian" might be more
practical.  After all, the whole exercise seems to be more focused on
the packaging and distribution of said packages, rather than "Debian the
GNU/Linux distribution" as a project.  If there are places where the
leading dot might be impractical or confusing, then perhaps "dotdeb" or
"dot-deb" might be more workable.

Regards,

-Roberto
-- 
Roberto C. Sánchez

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[W. Martin Borgert]

Quoting Mo Zhou :

Plus, letting users write PKGBUILD doesn't help them learn
Debian packaging at all...


Then I would try to diverge as little as possible
from the classical way how Debian packaging works.

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Mo Zhou]

Hi,

The proposed idea is source-only-based, and is totally different
from PPA (source+binary-based). I'm a PPA user and I don't have
any reason to re-invent yet another PPA.

The proposed idea is to take some advantages from source-based
software distribution tools. Examples are available here:
https://github.com/dupr/duprkit
https://github.com/dupr/DefaultCollection

Only "packaging scripts" are provided. Upstream source are
downloaded by the scritps locally before the build. The proposed
idea will never involve "distributing resulting binary .deb packages".

Again, the idea is totally different from PPA.

On Mon, Apr 08, 2019 at 10:32:46AM +, Holger Levsen wrote:
> On Mon, Apr 08, 2019 at 10:18:39AM +0100, Jonathan Dowland wrote:
> > > At the first glance I interpreted the sentence as
> > >  "This will only lead to flamewars"
> > > due to the meaning of bikeshed[1].
> > > 
> > > However, I got a hint from a fellow developer and learned that
> > > "Bikeshed" has its own meaning under Debian's context, according
> > > to some old mailing list fragments[2][3] -- which refers to a
> > > dak feature (This is the first time I heard of such thing).
> > This supports my (thus far) private feeling that naming this initiative
> > "Bikeshed" is a bad idea.
> 
> +1
> 
> I also think that using the name "D**ian" is a bad idea.
> 
> Just call it PPAs... millions of people know that term.

Re: PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Ondřej Surý]

Or DPA (Debian Personal Archive)...

Ondrej
--
Ondřej Surý 

> On 8 Apr 2019, at 12:32, Holger Levsen  wrote:
> 
> On Mon, Apr 08, 2019 at 10:18:39AM +0100, Jonathan Dowland wrote:
>>> At the first glance I interpreted the sentence as
>>> "This will only lead to flamewars"
>>> due to the meaning of bikeshed[1].
>>> 
>>> However, I got a hint from a fellow developer and learned that
>>> "Bikeshed" has its own meaning under Debian's context, according
>>> to some old mailing list fragments[2][3] -- which refers to a
>>> dak feature (This is the first time I heard of such thing).
>> This supports my (thus far) private feeling that naming this initiative
>> "Bikeshed" is a bad idea.
> 
> +1
> 
> I also think that using the name "D**ian" is a bad idea.
> 
> Just call it PPAs... millions of people know that term.
> 
> 
> -- 
> tschau,
>Holger
> 
> ---
>   holger@(debian|reproducible-builds|layer-acht).org
>   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

PPAs (Re: [Idea] Debian User Repository? (Not simply mimicing AUR))

[Holger Levsen]

On Mon, Apr 08, 2019 at 10:18:39AM +0100, Jonathan Dowland wrote:
> > At the first glance I interpreted the sentence as
> >  "This will only lead to flamewars"
> > due to the meaning of bikeshed[1].
> > 
> > However, I got a hint from a fellow developer and learned that
> > "Bikeshed" has its own meaning under Debian's context, according
> > to some old mailing list fragments[2][3] -- which refers to a
> > dak feature (This is the first time I heard of such thing).
> This supports my (thus far) private feeling that naming this initiative
> "Bikeshed" is a bad idea.

+1

I also think that using the name "D**ian" is a bad idea.

Just call it PPAs... millions of people know that term.


-- 
tschau,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Ondřej Surý]

I don’t think you need to avoid using “Debian” in the name.

This is the least problem your proposal have.

Ondrej
--
Ondřej Surý 

> On 8 Apr 2019, at 12:27, Mo Zhou  wrote:
> 
> Hi,
> 
> D**ian may be pronounced as "Dasteriskian", i.e. "D-asterisk-ian"
> (Still sounds ugly). I'm really bad at naming things, neither.
> 
> AUR is not targeted on new Archlinux users. Likewise, the D**bian
> term is not expected to cause confusion to people who really
> need to use these scripts/tools. That said, I want a better name
> too.
> 
>> On Mon, Apr 08, 2019 at 12:05:56PM +0200, W. Martin Borgert wrote:
>> Quoting Mo Zhou :
>>> As you wish, I added a disclaimer to the toolkit, and replaced every
>>> single "Debian" keyword in the repo with "D**ian", except for those
>>> in disclaimer.
>> 
>> Pardon, but replacing letters with '*' looks like Debian were a
>> swearword ("f*ck", "sh*t", ...) one likes to avoid. Also, it is
>> not a good name, because nobody knows how to pronounce it nor
>> which letters exactly were replaced. I'm bad at naming, sorry,
>> but please find something else before people get used to it :-)
> 

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Mo Zhou]

Hi,

D**ian may be pronounced as "Dasteriskian", i.e. "D-asterisk-ian"
(Still sounds ugly). I'm really bad at naming things, neither.

AUR is not targeted on new Archlinux users. Likewise, the D**bian
term is not expected to cause confusion to people who really
need to use these scripts/tools. That said, I want a better name
too.

On Mon, Apr 08, 2019 at 12:05:56PM +0200, W. Martin Borgert wrote:
> Quoting Mo Zhou :
> > As you wish, I added a disclaimer to the toolkit, and replaced every
> > single "Debian" keyword in the repo with "D**ian", except for those
> > in disclaimer.
> 
> Pardon, but replacing letters with '*' looks like Debian were a
> swearword ("f*ck", "sh*t", ...) one likes to avoid. Also, it is
> not a good name, because nobody knows how to pronounce it nor
> which letters exactly were replaced. I'm bad at naming, sorry,
> but please find something else before people get used to it :-)

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Mo Zhou]

On Mon, Apr 08, 2019 at 03:46:15PM +0800, Paul Wise wrote:
> On Mon, Apr 8, 2019 at 3:34 PM Mo Zhou wrote:
> 
> > However, the translator itself is not trivial, as it might need
> > it's own shell parser or something alike to be reliable enough.
> 
> Couldn't you just run makepkg (with some hooks) and dpkg-deb to
> convert the results to Debian packages?

Worth a try. I'll dig into this on the weekend.
The enhancement is tracked here:
https://github.com/dupr/duprkit/issues/1

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Jonathan Dowland]

On Sun, Apr 07, 2019 at 02:17:00PM +, Mo Zhou wrote:

This single sentence is quite ambiguous to non-native english speakers.

At the first glance I interpreted the sentence as
 "This will only lead to flamewars"
due to the meaning of bikeshed[1].

However, I got a hint from a fellow developer and learned that
"Bikeshed" has its own meaning under Debian's context, according
to some old mailing list fragments[2][3] -- which refers to a
dak feature (This is the first time I heard of such thing).


This supports my (thus far) private feeling that naming this initiative
"Bikeshed" is a bad idea.

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Ole Streicher]

Paul Wise  writes:
> On Sun, Apr 7, 2019 at 10:14 PM Peter Silva  wrote:
>> We would love to be able to upstream to debian, but haven't figured it out
>
> The process is pretty simple, but reliant on the limited number of
> Debian members who do package sponsorship. The ones we do have are
> fairly active though. The process is essentially; fix any quality
> issues, upload source packages to mentors.d.n, file a request for
> sponsor and reply to any responses you get.

For some fields, there are also additional possibilities: If you put
your packages into a Debian Pure Blend (like Debian Science, or Debian
Astro) and follow their rules, chances are big that someone from there
does the mentorship rather quickly.

Best

Ole

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Paul Wise]

On Mon, Apr 8, 2019 at 3:34 PM Mo Zhou wrote:

> However, the translator itself is not trivial, as it might need
> it's own shell parser or something alike to be reliable enough.

Couldn't you just run makepkg (with some hooks) and dpkg-deb to
convert the results to Debian packages?

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Mo Zhou]

Hi Paul,

I've ever thought about a PKGBUILD->Deb translator, and in this
way we can directly reuse all existing code in AUR without change.

However, the translator itself is not trivial, as it might need
it's own shell parser or something alike to be reliable enough.

The current (virtually) zero-overhead naive prototype, still allows the
reuse of existing debian packaging scripts and documentations.
Plus, letting users write PKGBUILD doesn't help them learn
Debian packaging at all...

On Mon, Apr 08, 2019 at 03:29:12PM +0800, Paul Wise wrote:
> On Sun, Apr 7, 2019 at 9:26 PM Mo Zhou wrote:
> 
> > Such idea about informal packaging repository has been
> > demonstrated successful by the Archlinux User Repository (AUR).
> > Hence, it should be valuable to think about it for Debian.
> 
> Seems like a PKGBUILD-to-deb script would be a simple way to do this
> and would also allow leveraging the existing PKGBUILD archive that is
> AUR and prevent splitting the community of people who make informal
> packaging.
> 
> In 2007 there was something similar for Gentoo ebuilds:
> 
> http://penta.debconf.org/dc7_schedule/events/69.en.html
> https://www.youtube.com/watch?v=Hy9ugWUuNBM
> 
> -- 
> bye,
> pabs
> 
> https://wiki.debian.org/PaulWise

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Paul Wise]

On Sun, Apr 7, 2019 at 9:26 PM Mo Zhou wrote:

> Such idea about informal packaging repository has been
> demonstrated successful by the Archlinux User Repository (AUR).
> Hence, it should be valuable to think about it for Debian.

Seems like a PKGBUILD-to-deb script would be a simple way to do this
and would also allow leveraging the existing PKGBUILD archive that is
AUR and prevent splitting the community of people who make informal
packaging.

In 2007 there was something similar for Gentoo ebuilds:

http://penta.debconf.org/dc7_schedule/events/69.en.html
https://www.youtube.com/watch?v=Hy9ugWUuNBM

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Paul Wise]

On Sun, Apr 7, 2019 at 10:14 PM Peter Silva  wrote:

> We would love to be able to upstream to debian, but haven't figured it out

The process is pretty simple, but reliant on the limited number of
Debian members who do package sponsorship. The ones we do have are
fairly active though. The process is essentially; fix any quality
issues, upload source packages to mentors.d.n, file a request for
sponsor and reply to any responses you get.

https://mentors.debian.net/intro-maintainers

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Mo Zhou]

Hi,

As you wish, I added a disclaimer to the toolkit, and replaced every
single "Debian" keyword in the repo with "D**ian", except for those
in disclaimer.

```
Everything included in this repository is totoally unrelated to the Debian
Project, or any OFFICIAL Debian development. Debian Project is not responsible
for any consequence resulted by utilization of the D**ian User Package
Repository Toolkit or any related .durpkg collections or single .durpkg files.
Please Take your own risk utilizing the toolkit, and please review every line
of code before execution.
```

I hereby emphasize that

  * The idea of D**ian User Repository is TOTALLY UNRELATED TO OFFICIAL
Debian Development.

  * The Debian Project is unrelated and unresponsible for anything
included 

  * The D**ian User Repository stuff STRONGLY recommend every user to review
everything before execution.

  * My initiative is JUST getting scutwork done, instead of introducing
any legal risk to the Debian Project.

This thread on -devel is still meaningful if any user wants to integrate
the basic and unofficial D**ian ... Toolkit into Debian.

However, to be as much cooperative as I can, if this thread is
considered to be toxic or off-topic, that means my immediate termination
of involvement in this thread.


On Mon, Apr 08, 2019 at 01:25:22AM -0400, Scott Kitterman wrote:
> I don't think this should have Debian in it's name at all.  Fetching random 
> code from Github and building it isn't what we're about.
> 
> Scott K

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Vincent Bernat]

 ❦  8 avril 2019 14:46 +10, Ben Finney :

>> yes, it can be done, but it is a lot more work for individual
>> packagers.
>
> Sure. And, on the other hand, providing an APT repository for arbitrary
> packages of unknown copyright status is also a lot of work to expect
> disinterested volunteers to do without motivation.

Disinterested volunteers are never forced to work for Debian. What is
the point of being so negative?
-- 
Keep it simple to make it faster.
- The Elements of Programming Style (Kernighan & Plauger)


signature.asc
Description: PGP signature

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Scott Kitterman]

I don't think this should have Debian in it's name at all.  Fetching random 
code from Github and building it isn't what we're about.

Scott K

On Monday, April 08, 2019 05:00:21 AM Mo Zhou wrote:
> Plus, it's super important to write every packaging bit into a single
> file. That would enable simple copy from github or any other
> resources. If you provide a directory, things will become more
> complicated. More impotantly, the proposed single file specification
> virtually adds NO overhead.
> 
> If I were a rookie, I'd really like single-file specifications
> which allows simple copy
> 
> On Mon, Apr 08, 2019 at 04:54:51AM +, Mo Zhou wrote:
> > On Sun, Apr 07, 2019 at 04:31:24PM +0200, Jonathan Carter wrote:
> > > +1, it's a good idea and I've thought of it before as well.
> > 
> > Nice!
> > 
> > > Reading some of the initial replies to your post, it seems like people
> > > don't entirely understand what you mean by an AUR-like service. This
> > > would definitely be different than PPAs (in the launchpad sense) or
> > > bikesheds (which is still a terrible name for all the confusion it
> > > causes).
> > 
> > Yes, and now real working example is available, see following.
> > 
> > > Have you put any thought in possible implementation yet? I don't think
> > > it's a good idea to devise any kind of new source packages. It's
> > 
> > Inventing yet-another wheel is unwise, undoubtedly. Only something
> > less than a tiny overhead is acceptable. Only in this way can
> > we use all existing mature development tools and documentations.
> > 
> > > probably not even necessary to use existing source packages. If you'd
> > > have the standard debian packaging for such an AUR^W... DUR? in a git
> > > repository (maybe like salsa.debian.org/dur/*) with a standardised git
> > > workflow for these, then it should be rather trivial to implement with a
> > > helper script that fetches the upstream source and just builds that
> > > package locally. So I think from a technical point of view, implementing
> > > something like AUR for Debian doesn't seem so hard. It can also act as a
> > > nice gateway to proper Debian development.
> > 
> > If we ignore the web part, a functional yet rushed demonstration is
> > available here:
> > 
> > https://github.com/dupr/duprkit
> > 
> > If you follow the instructions there, you will be able to pull the default
> > packaging collection, do searching by keyword, and build some demo
> > packages (they are really working).
> > 
> > Specifically, I drafted 2 new plain file format specifications:
> > f822 (means folded deb822), and durpkg (mimicing PKGBUILD).
> > 
> >  * f822 format allows you squash the whole debian/ directory into a single
> >  
> >plain file, with a specification that cannnot be simpler[1]
> >  
> >  * durpkg is a concatenation of a shell script and an f822 file[2].
> >  
> >the shell part[3] defines things like (1) how do prepare the source
> >(2) how to apply some patch (3) how to build the .deb packages
> >(4) how to clean (5) optionally user's customed hacks.
> >
> >Shell script introduces the MAXIMUM flexibility and allows the users
> >to do virtually anything they want.
> > 
> > An user contributed collection looks like [4], see readme for directory
> > layout specification for a DUR? collection. The "duprkit" can be
> > configured to use other, or private collections as well.
> > 
> > Everything looks hacky since it's rushed within several hours. Many
> > details could be improved. However, this demonstration is enough
> > to illusrate what I'm thinking.
> > 
> > [1] https://github.com/dupr/duprkit/blob/master/bin/unfold#L25
> > [2] https://github.com/dupr/duprkit/blob/master/bin/unfold#L74
> > [3]
> > https://github.com/dupr/DefaultCollection/blob/master/gotop/gotop.durpkg#
> > L1-L38 [4] https://github.com/dupr/DefaultCollection

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Mo Zhou]

Plus, it's super important to write every packaging bit into a single
file. That would enable simple copy from github or any other
resources. If you provide a directory, things will become more
complicated. More impotantly, the proposed single file specification
virtually adds NO overhead.

If I were a rookie, I'd really like single-file specifications
which allows simple copy

On Mon, Apr 08, 2019 at 04:54:51AM +, Mo Zhou wrote:
> On Sun, Apr 07, 2019 at 04:31:24PM +0200, Jonathan Carter wrote:
> > +1, it's a good idea and I've thought of it before as well.
> 
> Nice!
>  
> > Reading some of the initial replies to your post, it seems like people
> > don't entirely understand what you mean by an AUR-like service. This
> > would definitely be different than PPAs (in the launchpad sense) or
> > bikesheds (which is still a terrible name for all the confusion it causes).
> 
> Yes, and now real working example is available, see following.
> 
> > Have you put any thought in possible implementation yet? I don't think
> > it's a good idea to devise any kind of new source packages. It's
> 
> Inventing yet-another wheel is unwise, undoubtedly. Only something
> less than a tiny overhead is acceptable. Only in this way can
> we use all existing mature development tools and documentations.
> 
> > probably not even necessary to use existing source packages. If you'd
> > have the standard debian packaging for such an AUR^W... DUR? in a git
> > repository (maybe like salsa.debian.org/dur/*) with a standardised git
> > workflow for these, then it should be rather trivial to implement with a
> > helper script that fetches the upstream source and just builds that
> > package locally. So I think from a technical point of view, implementing
> > something like AUR for Debian doesn't seem so hard. It can also act as a
> > nice gateway to proper Debian development.
> 
> If we ignore the web part, a functional yet rushed demonstration is
> available here:
> 
> https://github.com/dupr/duprkit
> 
> If you follow the instructions there, you will be able to pull the default
> packaging collection, do searching by keyword, and build some demo
> packages (they are really working).
> 
> Specifically, I drafted 2 new plain file format specifications:
> f822 (means folded deb822), and durpkg (mimicing PKGBUILD).
> 
>  * f822 format allows you squash the whole debian/ directory into a single
>plain file, with a specification that cannnot be simpler[1]
> 
>  * durpkg is a concatenation of a shell script and an f822 file[2].
>the shell part[3] defines things like (1) how do prepare the source
>(2) how to apply some patch (3) how to build the .deb packages
>(4) how to clean (5) optionally user's customed hacks.
> 
>Shell script introduces the MAXIMUM flexibility and allows the users
>to do virtually anything they want.
> 
> An user contributed collection looks like [4], see readme for directory
> layout specification for a DUR? collection. The "duprkit" can be
> configured to use other, or private collections as well.
> 
> Everything looks hacky since it's rushed within several hours. Many
> details could be improved. However, this demonstration is enough
> to illusrate what I'm thinking.
> 
> [1] https://github.com/dupr/duprkit/blob/master/bin/unfold#L25
> [2] https://github.com/dupr/duprkit/blob/master/bin/unfold#L74
> [3] 
> https://github.com/dupr/DefaultCollection/blob/master/gotop/gotop.durpkg#L1-L38
> [4] https://github.com/dupr/DefaultCollection
> 

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Ben Finney]

Ben Finney  writes:

> Peter Silva  writes:
>
> > With debian, it's kind of all or nothing. Etiher you're in Debian,
> > and it gets built on every platform using the build farm, or it's
> > not, so you get no help at all.
>
> That doesn't seem accurate. Have people tried setting up an APT
> repository and got “no help at all”? Does the maintenance of the
> packages to run an APT repository, and instructions on how to do it, not
> count as help in doing that?

As for the build farm: the parties who donate those to Debian did so on
the understanding that they took on the load of building only the
official Debian archive. Opening the gates to even unofficial Debian
packages would be a significant increase in that burden on many of those
donated machines.

I think it's good to keep the distinction between official Debian
archive (which is built on the official Debian build farm) versus
unofficial packages (which need someone else with their own reasons to
donate resources to build them).

-- 
 \   “The generation of random numbers is too important to be left |
  `\to chance.” —Robert R. Coveyou |
_o__)  |
Ben Finney

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Mo Zhou]

On Sun, Apr 07, 2019 at 04:31:24PM +0200, Jonathan Carter wrote:
> +1, it's a good idea and I've thought of it before as well.

Nice!
 
> Reading some of the initial replies to your post, it seems like people
> don't entirely understand what you mean by an AUR-like service. This
> would definitely be different than PPAs (in the launchpad sense) or
> bikesheds (which is still a terrible name for all the confusion it causes).

Yes, and now real working example is available, see following.

> Have you put any thought in possible implementation yet? I don't think
> it's a good idea to devise any kind of new source packages. It's

Inventing yet-another wheel is unwise, undoubtedly. Only something
less than a tiny overhead is acceptable. Only in this way can
we use all existing mature development tools and documentations.

> probably not even necessary to use existing source packages. If you'd
> have the standard debian packaging for such an AUR^W... DUR? in a git
> repository (maybe like salsa.debian.org/dur/*) with a standardised git
> workflow for these, then it should be rather trivial to implement with a
> helper script that fetches the upstream source and just builds that
> package locally. So I think from a technical point of view, implementing
> something like AUR for Debian doesn't seem so hard. It can also act as a
> nice gateway to proper Debian development.

If we ignore the web part, a functional yet rushed demonstration is
available here:

https://github.com/dupr/duprkit

If you follow the instructions there, you will be able to pull the default
packaging collection, do searching by keyword, and build some demo
packages (they are really working).

Specifically, I drafted 2 new plain file format specifications:
f822 (means folded deb822), and durpkg (mimicing PKGBUILD).

 * f822 format allows you squash the whole debian/ directory into a single
   plain file, with a specification that cannnot be simpler[1]

 * durpkg is a concatenation of a shell script and an f822 file[2].
   the shell part[3] defines things like (1) how do prepare the source
   (2) how to apply some patch (3) how to build the .deb packages
   (4) how to clean (5) optionally user's customed hacks.

   Shell script introduces the MAXIMUM flexibility and allows the users
   to do virtually anything they want.

An user contributed collection looks like [4], see readme for directory
layout specification for a DUR? collection. The "duprkit" can be
configured to use other, or private collections as well.

Everything looks hacky since it's rushed within several hours. Many
details could be improved. However, this demonstration is enough
to illusrate what I'm thinking.

[1] https://github.com/dupr/duprkit/blob/master/bin/unfold#L25
[2] https://github.com/dupr/duprkit/blob/master/bin/unfold#L74
[3] 
https://github.com/dupr/DefaultCollection/blob/master/gotop/gotop.durpkg#L1-L38
[4] https://github.com/dupr/DefaultCollection

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Ben Finney]

Peter Silva  writes:

> On Sun, Apr 7, 2019 at 11:10 PM Ben Finney  wrote:
>
> > If one needs to keep a close eye on changes to make sure they can
> > still be installed even on a years-old OS, the resulting packages
> > can be placed in a custom repository set up with the instructions at
> > https://wiki.debian.org/DebianRepository/Setup>. What am I
> > missing?

> yes, it can be done, but it is a lot more work for individual
> packagers.

Sure. And, on the other hand, providing an APT repository for arbitrary
packages of unknown copyright status is also a lot of work to expect
disinterested volunteers to do without motivation.

So it sounds like you know of at least enough individual developers that
you have a group motivated to maintain an unofficial APT repository.

That seems like an appropriate model: groups who want to make unofficial
packages available can put in the sys-admin effort to run an unofficial
APT repository with the existing tools.

The Debian project does not (and, I believe, should not) need to be the
home of third-party unofficial repositories; the tools to provide those
are already in the hands of anyone who wants to provide them.

> With debian, it's kind of all or nothing. Etiher you're in Debian, and
> it gets built on every platform using the build farm, or it's not, so
> you get no help at all.

That doesn't seem accurate. Have people tried setting up an APT
repository and got “no help at all”? Does the maintenance of the
packages to run an APT repository, and instructions on how to do it, not
count as help in doing that?

> Launchpad gives a nice middle road that suits us right now,
> and if something similar were available for debian, it would provide a
> stepping stone to being in Debian proper.

Conversely, I would argue that providing an APT repository for the
unofficial packages they want available is a way for grroups to, on
their own steam, provide that stepping stone.

-- 
 \“Beware of bugs in the above code; I have only proved it |
  `\ correct, not tried it.” —Donald Knuth, 1977-03-29 |
_o__)  |
Ben Finney

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Peter Silva]

On Sun, Apr 7, 2019 at 11:10 PM Ben Finney  wrote:

> Peter Silva  writes:
>
> > […] the launchpad.net model, which supports backporting seamlesslly
> > and allows to support the same version on all distro versions, works
> > better for us. This is something a debian version of launchpad would
> > get us.
>
> How does it handle “seamlessly” changes that make a package incompatible
> with the already-released Debian stable? If it doesn't handle that, is
> it right to call that seamless?
>
>
For the package in question, the changes are bug-fixes, 99% upward
compatible.
so yes, you're right it can't be totally seamless, we have release notes to
cover breakage events.
and other explicit communications.


> If one needs to keep a close eye on changes to make sure they can still
> be installed even on a years-old OS, the resulting packages can be
> placed in a custom repository set up with the instructions at
> https://wiki.debian.org/DebianRepository/Setup>. What am I missing?
>
>
yes, it can be done, but it is a lot more work for individual packagers.

launchpad.net combines:
   - very few clicks to build custom repositories.
   - a build environment for each OS, so that it runs "debuild" in the
currently patched version of the OS for which the package it built.

It saves people from having to build their own custom repository, and from
having to maintain a build environment for all supported OS versions and
architectures.  on Ubuntu,  packages are built for 14.04, 16,04, 18.04,
18.10, 19.04, and I get all those just from clicking one box for each one.
I think it also propagates re-building of packages when a build-dependency
changes, without my knowledge or interaction.  It leverages the ubuntu
build-farm for third-party packages.

With debian, it's kind of all or nothing.  Etiher you're in Debian, and it
gets built on every platform using the build farm, or it's not, so you get
no help at all. Launchpad gives a nice middle road that suits us right now,
and if something similar were available for debian, it would provide a
stepping stone to being in Debian proper.


-- 
>  \ “I think Western civilization is more enlightened precisely |
>   `\ because we have learned how to ignore our religious leaders.” |
> _o__)—Bill Maher, 2003 |
> Ben Finney
>
>

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Ben Finney]

Peter Silva  writes:

> […] the launchpad.net model, which supports backporting seamlesslly
> and allows to support the same version on all distro versions, works
> better for us. This is something a debian version of launchpad would
> get us.

How does it handle “seamlessly” changes that make a package incompatible
with the already-released Debian stable? If it doesn't handle that, is
it right to call that seamless?

If one needs to keep a close eye on changes to make sure they can still
be installed even on a years-old OS, the resulting packages can be
placed in a custom repository set up with the instructions at
https://wiki.debian.org/DebianRepository/Setup>. What am I missing?

-- 
 \ “I think Western civilization is more enlightened precisely |
  `\ because we have learned how to ignore our religious leaders.” |
_o__)—Bill Maher, 2003 |
Ben Finney

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Roberto C . Sánchez]

On Sun, Apr 07, 2019 at 09:36:25PM -0400, Peter Silva wrote:
> 
>OK for unstable and testing, but I want to provide packages for stable
>versions of Debian using a separate repo that will be get frequent
>updates, even though the OS is stable. I get that with [4]launchpad.net.
>Your proposal makes no version ever available for a stable version.  yes,
>it contradicts the meaning of stable, but the idea is similar to the idea
>of using snaps, where certain applications require current versions, while
>most of the OS remains a stable platform.  
> 
Then I think that Ben Finney's observation is completely correct.

Regards,

-Roberto
-- 
Roberto C. Sánchez

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Peter Silva]

On Sun, Apr 7, 2019 at 8:41 PM Roberto C. Sánchez 
wrote:

> On Sun, Apr 07, 2019 at 05:50:37PM -0400, Peter Silva wrote:
> >
> >Hiring debian devs to get the packages into debian proper could make
> >sense. One thing that dampens our enthusiasm for that at the moment is
> >that our packages are still very unstable, in the sense that the we
> are
> >releasing materially better version incrementally, say once or twice a
> >month.  It is sort of analogous to a rolling release.  That works fine
> >with the launchpad model, but if it gets baked into debian, then we
> need
> >to support some random old version for many years. Perhaps once it has
> >stabilized, that would be something we could work with, but for now,
> the
> >[2]launchpad.net model, which supports backporting seamlesslly and
> allows
> >to support the same version on all distro versions, works better for
> us.
> >This is something a debian version of launchpad would get us.
> >
>
> You can already accomplish what you are describing today:
>
> - have packages uploaded to experimental
> - upload to unstable and file a release critical bug to prevent it
>   migrating to testing (look at https://bugs.debian.org/915050 for
>   instance)
>
> Both approaches get the package into Debian, available to users of
> unstable and/or experimental, as appropriate, and without risk of the
> package getting "baked in" to a Debian release for the long term.
>

OK for unstable and testing, but I want to provide packages for stable
versions of Debian using a separate repo that will be get frequent updates,
even though the OS is stable. I get that with launchpad.net. Your proposal
makes no version ever available for a stable version.  yes, it contradicts
the meaning of stable, but the idea is similar to the idea of using snaps,
where certain applications require current versions, while most of the OS
remains a stable platform.

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Ben Finney]

Peter Silva  writes:

> One thing that dampens our enthusiasm for that at the moment is that
> our packages are still very unstable […], but if it gets baked into
> debian, then we need to support some random old version for many
> years.

By that description it is not a good candidate for putting into Debian
the operating system.

If the upstream project is not going to support specific releases for
years, that puts the onus on Debian package maintainers to choose a
version for support during the lifetime of a Debian release.

So would you agree, then, that the barrier to entry to the Debian system
is appropriate in this case?

-- 
 \  “I don't want to live peacefully with difficult realities, and |
  `\ I see no virtue in savoring excuses for avoiding a search for |
_o__)real answers.” —Paul Z. Myers, 2009-09-12 |
Ben Finney

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Roberto C . Sánchez]

On Sun, Apr 07, 2019 at 05:50:37PM -0400, Peter Silva wrote:
> 
>Hiring debian devs to get the packages into debian proper could make
>sense. One thing that dampens our enthusiasm for that at the moment is
>that our packages are still very unstable, in the sense that the we are
>releasing materially better version incrementally, say once or twice a
>month.  It is sort of analogous to a rolling release.  That works fine
>with the launchpad model, but if it gets baked into debian, then we need
>to support some random old version for many years. Perhaps once it has
>stabilized, that would be something we could work with, but for now, the
>[2]launchpad.net model, which supports backporting seamlesslly and allows
>to support the same version on all distro versions, works better for us. 
>This is something a debian version of launchpad would get us.
> 

You can already accomplish what you are describing today:

- have packages uploaded to experimental
- upload to unstable and file a release critical bug to prevent it
  migrating to testing (look at https://bugs.debian.org/915050 for
  instance)

Both approaches get the package into Debian, available to users of
unstable and/or experimental, as appropriate, and without risk of the
package getting "baked in" to a Debian release for the long term.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Peter Silva]

On Sun, Apr 7, 2019 at 1:27 PM Roberto C. Sánchez 
wrote:

> On Sun, Apr 07, 2019 at 10:13:58AM -0400, Peter Silva wrote:
> >fwiw,  our organization doesn't have any debian devs.  We have a few
> >packages that we develop and deploy
> >for our internal needs, and make available to the internet with public
> >repositories.  they are (perhaps not perfectly) debian compliant
> packages,
> >but we aren't blessed debian devs (and frankly cannot be bothered to
> >become them.)
>
> There are many Debian developers who work as consultants specifically on
> Debian-related work, either independently or as part of a company that
> offers Debian-related services.
>
> Since you have done most of the work, you could easily hire one of those
> folks to help with a small number of hours worth of effort to take the
> package through the process of getting it into Debian.
>
> You can post to the debian-jobs list or check the Debian consultants
> page on the main Debian website for candidates.
>
> Regards,
>
> -Roberto
> --
> Roberto C. Sánchez
>
>
Hiring debian devs to get the packages into debian proper could make sense.
One thing that dampens our enthusiasm for that at the moment is that our
packages are still very unstable, in the sense that the we are releasing
materially better version incrementally, say once or twice a month.  It is
sort of analogous to a rolling release.  That works fine with the launchpad
model, but if it gets baked into debian, then we need to support some
random old version for many years. Perhaps once it has stabilized, that
would be something we could work with, but for now, the launchpad.net
model, which supports backporting seamlesslly and allows to support the
same version on all distro versions, works better for us.  This is
something a debian version of launchpad would get us.

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Phil Morrell]

On Sun, Apr 07, 2019 at 07:01:28PM +0200, Alf Gaida wrote:
> For debian it could work the same way - just host the debian dir and be done
> with. Iirc the kde team work this way, they have only the debian dir in
> salsa. With a modified watch file it should be possible to get any source
> one want to. So the "only" thing needed is the infrastructure to host and
> maintain these repos. The rest is up to the user and a fundamental different
> approach as launchpad and ppa's.

I like it, and just wanted to share this related idea from the Gentoo
world about bootstrapping some automated trust without increasing
contribution friction too much:

https://dev.gentoo.org/~mgorny/articles/guru-a-new-model-of-contributing-to-gentoo.html#user-access-and-workflow
--
Phil Morrell


signature.asc
Description: PGP signature

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Roberto C . Sánchez]

On Sun, Apr 07, 2019 at 10:13:58AM -0400, Peter Silva wrote:
>fwiw,  our organization doesn't have any debian devs.  We have a few
>packages that we develop and deploy
>for our internal needs, and make available to the internet with public
>repositories.  they are (perhaps not perfectly) debian compliant packages,
>but we aren't blessed debian devs (and frankly cannot be bothered to
>become them.)

There are many Debian developers who work as consultants specifically on
Debian-related work, either independently or as part of a company that
offers Debian-related services.

Since you have done most of the work, you could easily hire one of those
folks to help with a small number of hours worth of effort to take the
package through the process of getting it into Debian.

You can post to the debian-jobs list or check the Debian consultants
page on the main Debian website for candidates.

Regards,

-Roberto
-- 
Roberto C. Sánchez

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Roberto C . Sánchez]

On Sun, Apr 07, 2019 at 02:34:05PM +, Mo Zhou wrote:
> Hi,
> 
> The problem is not "who is responsible for implementing this", but "is
> this valuable enough to implement".
> 
> If a group of people think it worthwhile to do something, they will be
> glad to work together on a common belief, spontaneously.  I as the
> initiator of the idea would definitely take action if I got enough
> positive feedbacks.
> 
I recommend that you start implementing something then request feedback.
Otherwise the whole exercise is just academic.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Alf Gaida]

On 07.04.19 17:40, gregor herrmann wrote:

I'm one of those people.
And I still don't know what "an AUR-like service" is, or what
"packaging scripts" are.

After reading the intro at
https://wiki.archlinux.org/index.php/Arch_User_Repository I guess,
translated to Debian terms, we are talking about user-provided source
packages?
  


Cheers,
gregor


Maybe a simple example of how things could work - the AUR consists of 
several things


* the website https://aur.archlinux.org/
* the git repo
* some not official (and not really needed) helper scripts

The wiki put it in the best possible way:

Users can search and download PKGBUILDs from the AUR Web Interface. These PKGBUILDs can be built into installable packages using makepkg, then installed using pacman. 


Let's take lxqt-about as example: It is both in the regular archlinux 
repository and in the AUR:


* https://www.archlinux.de/packages/community/x86_64/lxqt-about
* https://aur.archlinux.org/packages/lxqt-about-git/

So - what is the difference in this case: the community repository 
points to the release, the AUR package points to git master. The 
packaging consits only of the PKGBUILD aka the "build script". Thats all.


One can download these scripts and build  with a simple `makepkg`.
After building the package one can install the local packate with pacman:
* Repo: pacman -S lxqt-about
* local: pacman -U lxqt-about*tar.xz

And thats the whole magic - the only thing that the arch guys host is 
the PKGBUILD, maybe some patches and install instructions. So they don't 
have to care about any licensing or limitations - they only host the 
receipe.


For debian it could work the same way - just host the debian dir and be 
done with. Iirc the kde team work this way, they have only the debian 
dir in salsa. With a modified watch file it should be possible to get 
any source one want to. So the "only" thing needed is the infrastructure 
to host and maintain these repos. The rest is up to the user and a 
fundamental different approach as launchpad and ppa's.


Cheers Alf

PS: Please don't hit/yell at me if i've overly simplified some things. :)

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[gregor herrmann]

On Sun, 07 Apr 2019 16:31:24 +0200, Jonathan Carter wrote:

> Reading some of the initial replies to your post, it seems like people
> don't entirely understand what you mean by an AUR-like service. This
> would definitely be different than PPAs (in the launchpad sense) or
> bikesheds (which is still a terrible name for all the confusion it causes).

I'm one of those people.
And I still don't know what "an AUR-like service" is, or what
"packaging scripts" are.

After reading the intro at
https://wiki.archlinux.org/index.php/Arch_User_Repository I guess,
translated to Debian terms, we are talking about user-provided source
packages?
 

Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   NP: Furry Lewis: Billy lyons & stack o' lee


signature.asc
Description: Digital Signature

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Andrey Rahmatullin]

On Sun, Apr 07, 2019 at 02:17:00PM +, Mo Zhou wrote:
> However, I got a hint from a fellow developer and learned that
> "Bikeshed" has its own meaning under Debian's context, according
> to some old mailing list fragments[2][3] -- which refers to a
> dak feature (This is the first time I heard of such thing).
Yes, I've meant this thing.
As you can see, the idea is old, but the ideas are not enough.

-- 
WBR, wRAR


signature.asc
Description: PGP signature

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Adrian Bunk]

On Sun, Apr 07, 2019 at 01:26:12PM +, Mo Zhou wrote:
>...
> (2) Dirty but useful non-free blobs, such as nvidia's cuDNN (CUDA Deep
> Neural Network) library, which dominates the field of high performance
> neural network training and inference. I really hate reading NVIDIA's
> non-free legal texts, and in such repository we can avoid reading the
> license and just get the scutwork done and make users happy.
> 
> (3) Data with obscure licensing. In this repository we can feel free to
> package pre-trained neural networks or training data without carefully
> examing the licensing.

The requirements for distributing software in the system you want to 
setup wouldn't be much different from what is required for non-free.

Anything that is legal to distribute can likely go into non-free.

>...
> (5) Packages that utilizes SIMD instructions heavily. Such package is
> very easy to package in such repo. (So this Proposal actually suppresses
> and replaces my SIMDebian project).

Run-time autodetection is the best solution.

We also have packages that build several versions of a program,
with a tiny wrapper that selects the best at startup.

> 2. Allows us to offload some low-popcon, or QA-questionable packages
> from the archive. Debian's archive size is continuously increasing, but
> the number of Debian Developers has been staying around 1000 for many
> many years. Saturation will definitely happen in the future if we do
> nothing to change - or saturation has already happended. An Archlinux
> Developer's saturation point may be several thousand (See Felix Yan, an
> Arch Dev), but a Debian Developer often saturate at, maybe 30~100?

You make it sound as if the number of packages would be what matters most.
Which is not true.

A low-popcon package that is old and stable and stale and doesn't depend 
on changing libraries usually just continues working with close to zero 
effort.

Most work is in the volatile areas of the archive, e.g. tensorflow as
one package might create more work than whatever you would consider
the saturation point for a single developer.

> Handing over some workload to the user community is not a bad thing,

"user community" sounds like a "somebody" that is in reality "nobody".

>...
> 3. Allows us to accept potential contributors friendly, and possibly
> form a new user community. The high quality standard of Debian may scare
> some potential contributors away.
>...

Package installation runs as root, which means you are granting root
access to the package creator of every single package you are installing.

Be it malicious intention or just a packaging mistake,
trust and quality are not really optional items.

> Best,
> Mo.

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Mo Zhou]

Hi,

The problem is not "who is responsible for implementing this", but "is
this valuable enough to implement".

If a group of people think it worthwhile to do something, they will be
glad to work together on a common belief, spontaneously.  I as the
initiator of the idea would definitely take action if I got enough
positive feedbacks.

On Sun, Apr 07, 2019 at 03:36:51PM +0200, Ondřej Surý wrote:
> > Can we implement it?
> 
> Who is “we”? This is the usual problem with missing
> DPA/bikesheds/whatever, the most productive developer “Somebody”
> hasn’t joined Debian yet...
> 
> Ondrej -- Ondřej Surý 
> 
> > On 7 Apr 2019, at 15:26, Mo Zhou  wrote:
> > 
> > Can we implement it?

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Jonathan Carter]

On 2019/04/07 15:26, Mo Zhou wrote:
> 3. Allows us to accept potential contributors friendly, and possibly
> form a new user community. The high quality standard of Debian may scare
> some potential contributors away. In the informal packaging area, it's
> easier for people to contribute. Look at AUR and Archlinux Trusted Users
> as example. Of course, we can promote high quality creations from users
> into debian archive.
> 
> Just a few of my naive thoughts. If this idea came true, I'll
> denfinitely be able to continue with TensorFlow and PyTorch packaging,
> at an significantly lower cost. I'm also happy to throw some of my
> low-popcon packages to this area, so I can focus on more valuable ones.
> This idea really excites me. Can we implement it?

+1, it's a good idea and I've thought of it before as well.

Reading some of the initial replies to your post, it seems like people
don't entirely understand what you mean by an AUR-like service. This
would definitely be different than PPAs (in the launchpad sense) or
bikesheds (which is still a terrible name for all the confusion it causes).

Have you put any thought in possible implementation yet? I don't think
it's a good idea to devise any kind of new source packages. It's
probably not even necessary to use existing source packages. If you'd
have the standard debian packaging for such an AUR^W... DUR? in a git
repository (maybe like salsa.debian.org/dur/*) with a standardised git
workflow for these, then it should be rather trivial to implement with a
helper script that fetches the upstream source and just builds that
package locally. So I think from a technical point of view, implementing
something like AUR for Debian doesn't seem so hard. It can also act as a
nice gateway to proper Debian development.

-Jonathan

-- 
  ⢀⣴⠾⠻⢶⣦⠀  Jonathan Carter (highvoltage) 
  ⣾⠁⢠⠒⠀⣿⡁  Debian Developer - https://wiki.debian.org/highvoltage
  ⢿⡄⠘⠷⠚⠋   https://debian.org | https://jonathancarter.org
  ⠈⠳⣄  Be Bold. Be brave. Debian has got your back.

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Mo Zhou]

On Sun, Apr 07, 2019 at 10:05:35PM +0800, Shengjing Zhu wrote:
> 
> Why not just start this as a personal project? And prove it works.

This is going to be a non-trivial initial work. On a non-business
and free-software basis, listen to the others first would be very
helpful. Positive feedbacks always help you strive forward on
volunteered works, right?

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Mo Zhou]

Hi,

This single sentence is quite ambiguous to non-native english speakers.

At the first glance I interpreted the sentence as
  "This will only lead to flamewars"
due to the meaning of bikeshed[1].

However, I got a hint from a fellow developer and learned that
"Bikeshed" has its own meaning under Debian's context, according
to some old mailing list fragments[2][3] -- which refers to a
dak feature (This is the first time I heard of such thing).

Do you mean I should stop and forget such thoughts, or just mean "This
is just the initiative of the 'Bikeshed' feature of dak"?

[1] https://www.urbandictionary.com/define.php?term=bikeshed
[2] https://lists.debian.org/debian-devel/2013/05/msg00131.html
[3] http://debian.2.n7.nabble.com/DAK-Commands-for-Bikesheds-td3650941.html

On Sun, Apr 07, 2019 at 06:32:37PM +0500, Andrey Rahmatullin wrote:
> Isn't the Bikesheds initiative just this?
> 
> -- 
> WBR, wRAR

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Peter Silva]

fwiw,  our organization doesn't have any debian devs.  We have a few
packages that we develop and deploy
for our internal needs, and make available to the internet with public
repositories.  they are (perhaps not perfectly) debian compliant packages,
but we aren't blessed debian devs (and frankly cannot be bothered to become
them.) (fwiw:
https://launchpad.net/~ssc-hpc-chp-spc/+archive/ubuntu/metpx-daily )

We have been publishing products on launchpad.net for years.  We were able
to do that relatively quickly.  We would love to be able to upstream to
debian, but haven't figured it out.  There is a much higher barrier to
entry.  Our only option at the moment is likely suse build service, but we
haven't bothered to figure that out either... We use ubuntu internally, and
that's enough for internal use, so the others are nice to haves.  for
nearly anything on launchpad, it should be pretty straightforward for adapt
to whatever gets done for debian.  It also provides an intermediate on-ramp
for gettting packages into Debian.

as non-debian devs, something like launchpad looks useful to us.

On Sun, Apr 7, 2019 at 9:54 AM Karsten Merker  wrote:

> On Sun, Apr 07, 2019 at 01:26:12PM +, Mo Zhou wrote:
>
> > The absense of a centralized, informal Debian package repository where
> > trusted users could upload their own packaging scripts has been
> > long-forgotten. As an inevitable result, many user packaging scripts
> > exist in the wild, scattered like stars in the sky, with varied
> > packaging quality. Their existence reflects our users' demand,
> > especially the experienced ones', that has not been satisfied by the
> > Debian archive. Such idea about informal packaging repository has been
> > demonstrated successful by the Archlinux User Repository (AUR). Hence,
> > it should be valuable to think about it for Debian.
> >
> > Assume that Debian has an informal packaging repository similar to AUR,
> > which distrbutes packaging scripts only and requires to be built
> > locally. According to my observation and experience, such a repository:
> >
> > 1. Allows packaging in some compromised manner to exist, which means
> > they dont fully comply with DFSG or Policy. This makes great sense for
> > several kinds of packages:
> >
> > (1) Packages that are extremely hard to made compliant to Policy. For
> > example, bazel the build system of TensorFlow and other Google products
> > - No Debian Developer can make it meet the Policy's requirement without
> > great sacrifice. The outcome doesn't worth the waste in time and energy.
>
> This is something that would probably be acceptable to me on
> Debian-hosted infrastructure, but ...
>
> > (2) Dirty but useful non-free blobs, such as nvidia's cuDNN (CUDA Deep
> > Neural Network) library, which dominates the field of high performance
> > neural network training and inference. I really hate reading NVIDIA's
> > non-free legal texts, and in such repository we can avoid reading the
> > license and just get the scutwork done and make users happy.
> >
> > (3) Data with obscure licensing. In this repository we can feel free to
> > package pre-trained neural networks or training data without carefully
> > examing the licensing.
>
> ... this is something that I personally have a big problem with
> because it would set a precedent that I don't want the Debian
> project to set.  We as a project host a non-free repository
> (which is fine for me), but before we take packages into
> non-free, we put a lot of effort into checking the licenses for
> problems (besides them being non-free).  Hosting a repository on
> Debian infrastructure that effectively states "we don't care for
> any license terms" is a no-go for me, even if it contains only
> packaging scripts and not the actual non-free components.
>
> Regards,
> Karsten
> --
> Ich widerspreche hiermit ausdrücklich der Nutzung sowie der
> Weitergabe meiner personenbezogenen Daten für Zwecke der Werbung
> sowie der Markt- oder Meinungsforschung.
>
>

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Shengjing Zhu]

On Sun, Apr 7, 2019 at 9:26 PM Mo Zhou  wrote:
>
> Hi folks,
>
> The absense of a centralized, informal Debian package repository where
> trusted users could upload their own packaging scripts has been
> long-forgotten. As an inevitable result, many user packaging scripts
> exist in the wild, scattered like stars in the sky, with varied
> packaging quality. Their existence reflects our users' demand,
> especially the experienced ones', that has not been satisfied by the
> Debian archive. Such idea about informal packaging repository has been
> demonstrated successful by the Archlinux User Repository (AUR). Hence,
> it should be valuable to think about it for Debian.
>
> Assume that Debian has an informal packaging repository similar to AUR,
> which distrbutes packaging scripts only and requires to be built
> locally. According to my observation and experience, such a repository:
>
> 1. Allows packaging in some compromised manner to exist, which means
> they dont fully comply with DFSG or Policy. This makes great sense for
> several kinds of packages:
>
> (1) Packages that are extremely hard to made compliant to Policy. For
> example, bazel the build system of TensorFlow and other Google products
> - No Debian Developer can make it meet the Policy's requirement without
> great sacrifice. The outcome doesn't worth the waste in time and energy.
>
> (2) Dirty but useful non-free blobs, such as nvidia's cuDNN (CUDA Deep
> Neural Network) library, which dominates the field of high performance
> neural network training and inference. I really hate reading NVIDIA's
> non-free legal texts, and in such repository we can avoid reading the
> license and just get the scutwork done and make users happy.
>
> (3) Data with obscure licensing. In this repository we can feel free to
> package pre-trained neural networks or training data without carefully
> examing the licensing.
>
> (4) Packages with dirty hacks, or targeted on testing the water. This
> makes sense for packages that doesn't worth the effort to make it fully
> compliant with Debian's quality requirement and some user just wants it.
>
> (5) Packages that utilizes SIMD instructions heavily. Such package is
> very easy to package in such repo. (So this Proposal actually suppresses
> and replaces my SIMDebian project).
>
> 2. Allows us to offload some low-popcon, or QA-questionable packages
> from the archive. Debian's archive size is continuously increasing, but
> the number of Debian Developers has been staying around 1000 for many
> many years. Saturation will definitely happen in the future if we do
> nothing to change - or saturation has already happended. An Archlinux
> Developer's saturation point may be several thousand (See Felix Yan, an
> Arch Dev), but a Debian Developer often saturate at, maybe 30~100?
> Handing over some workload to the user community is not a bad thing,
> especially for the cold packages.
>
> 3. Allows us to accept potential contributors friendly, and possibly
> form a new user community. The high quality standard of Debian may scare
> some potential contributors away. In the informal packaging area, it's
> easier for people to contribute. Look at AUR and Archlinux Trusted Users
> as example. Of course, we can promote high quality creations from users
> into debian archive.
>
> Just a few of my naive thoughts. If this idea came true, I'll
> denfinitely be able to continue with TensorFlow and PyTorch packaging,
> at an significantly lower cost. I'm also happy to throw some of my
> low-popcon packages to this area, so I can focus on more valuable ones.
> This idea really excites me. Can we implement it?
>

Why not just start this as a personal project? And prove it works.


-- 
Shengjing Zhu

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Ondřej Surý]

> Can we implement it?

Who is “we”? This is the usual problem with missing DPA/bikesheds/whatever, the 
most productive developer “Somebody” hasn’t joined Debian yet...

Ondrej
--
Ondřej Surý 

> On 7 Apr 2019, at 15:26, Mo Zhou  wrote:
> 
> Can we implement it?

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)

[Andrey Rahmatullin]

Isn't the Bikesheds initiative just this?

-- 
WBR, wRAR


signature.asc
Description: PGP signature

[Idea] Debian User Repository? (Not simply mimicing AUR)

[Mo Zhou]

Hi folks,

The absense of a centralized, informal Debian package repository where
trusted users could upload their own packaging scripts has been
long-forgotten. As an inevitable result, many user packaging scripts
exist in the wild, scattered like stars in the sky, with varied
packaging quality. Their existence reflects our users' demand,
especially the experienced ones', that has not been satisfied by the
Debian archive. Such idea about informal packaging repository has been
demonstrated successful by the Archlinux User Repository (AUR). Hence,
it should be valuable to think about it for Debian.

Assume that Debian has an informal packaging repository similar to AUR,
which distrbutes packaging scripts only and requires to be built
locally. According to my observation and experience, such a repository:

1. Allows packaging in some compromised manner to exist, which means
they dont fully comply with DFSG or Policy. This makes great sense for
several kinds of packages:

(1) Packages that are extremely hard to made compliant to Policy. For
example, bazel the build system of TensorFlow and other Google products
- No Debian Developer can make it meet the Policy's requirement without
great sacrifice. The outcome doesn't worth the waste in time and energy.

(2) Dirty but useful non-free blobs, such as nvidia's cuDNN (CUDA Deep
Neural Network) library, which dominates the field of high performance
neural network training and inference. I really hate reading NVIDIA's
non-free legal texts, and in such repository we can avoid reading the
license and just get the scutwork done and make users happy.

(3) Data with obscure licensing. In this repository we can feel free to
package pre-trained neural networks or training data without carefully
examing the licensing.

(4) Packages with dirty hacks, or targeted on testing the water. This
makes sense for packages that doesn't worth the effort to make it fully
compliant with Debian's quality requirement and some user just wants it.

(5) Packages that utilizes SIMD instructions heavily. Such package is
very easy to package in such repo. (So this Proposal actually suppresses
and replaces my SIMDebian project).

2. Allows us to offload some low-popcon, or QA-questionable packages
from the archive. Debian's archive size is continuously increasing, but
the number of Debian Developers has been staying around 1000 for many
many years. Saturation will definitely happen in the future if we do
nothing to change - or saturation has already happended. An Archlinux
Developer's saturation point may be several thousand (See Felix Yan, an
Arch Dev), but a Debian Developer often saturate at, maybe 30~100?
Handing over some workload to the user community is not a bad thing,
especially for the cold packages.

3. Allows us to accept potential contributors friendly, and possibly
form a new user community. The high quality standard of Debian may scare
some potential contributors away. In the informal packaging area, it's
easier for people to contribute. Look at AUR and Archlinux Trusted Users
as example. Of course, we can promote high quality creations from users
into debian archive.

Just a few of my naive thoughts. If this idea came true, I'll
denfinitely be able to continue with TensorFlow and PyTorch packaging,
at an significantly lower cost. I'm also happy to throw some of my
low-popcon packages to this area, so I can focus on more valuable ones.
This idea really excites me. Can we implement it?

Best,
Mo.