On Tue, Sep 22, 2020 at 08:56:25PM +1000, Dmitry Smirnov wrote: > > As discussed in debian-devel, Kubernetes package abuses Debian practices > and Golang team policies by needlessly vendoring hundreds(!) of libraries, > most of which are available in Debian. > > For a complex package like Kubernetes, _some_ strategic vendoring would be > understandable for practical reasons. But not everything. > > Maintainer circumvented packaging practices and introduced re-packaged > Kubernetes in a state that would have never been accepted by ftp-masters. > > Please consider removing redundant libraries from "vendor". > In the current state, the package is unsuitable for "stable".
It's not entirely clear to me if the policy concerns are around licensing compliance or simply the volume of vendored dependencies. Wearing my Kubernetes SIG Chair/upstream hat: I believe that the license compliance of everything in vendor/ has been thoroughly vetted, but that information may not have been adequately surfaced for downstream projects to use. In this case, any violations are surface-level/paperwork as opposed to fundamental issues with DFSG compliance. I've requested that upstream better surfaces this information in order to be able to build Kubernetes in a policy-compliant way in Debian: https://github.com/kubernetes/kubernetes/issues/94976 Thanks, - e
signature.asc
Description: PGP signature
