I am the upstream maintainer of libpaper (which used to be a pure-Debian project), and also a Debian Maintainer trying to get a new version of libpaper into Debian. (It involves an API/ABI transition, from the current libpaper1 to libpaper2.)
Bastian Germann (b...@debian.org) is kindly helping with the packaging and sponsoring my upload. I just got a rejection for libpaper_2.0.3-1 from ftp-master (in this case, Thorsten Alteholz), who said "I didn't find any explanation why you embedded a copy of gnulib in your source tarball. Do you really need that?" Like many GNU packages, my rewrite of libpaper uses gnulib, a source library that's effectively a polyfill for POSIX & GNU APIs, and my libpaper releases distribute some gnulib source files as part of the release tarball. Other Debian packages that work this way include coreutils and grep. Some other Debian packages build-depend on Debian's gnulib package. This won't necessarily work for libpaper, because gnulib is not versioned: libpaper depends on a specific commit of gnulib, and there are often bug fixes or API changes. Bastian asked me to build-depend on gnulib, which I have so far declined to do, as that would make the Debian package's sources effectively different from those that I release as upstream maintainer. Also, a build-depend on gnulib would not directly address Thorsten's problem with the package, as the source archive would still contain gnulib sources (although maybe it would be OK if they weren't used?). I had a look at a package that does build-depend on gnulib, wget2, and its source tarball contains gnulib files. I have searched the debian-devel archives and found a few reference s to gnulib, but no definitive ruling about how gnulib should be treated. Bastian rightly points out that by including gnulib sources, packages such as coreutils cannot easily be updated for security bugs in gnulib; but to me this seems to be a problem with gnulib itself (it's a source library, that's how it works), rather than with the packaging of programs that use gnulib. Another of Bastian's suggestions is that I base the Debian package on a git snapshot, as that does not include gnulib files; but this still has the problem that the Debian package would not be built from a release of libpaper. I am a bit torn here: with my DM hat on, stripping out gnulib sources where possible and using Debian's gnulib package seems the right thing to do. With my upstream hat on it leads potentially to bug reports that don't correspond to an upstream release; and further few Debian packages that use gnulib actually seem to use this method (there are 26 build-rdeps of gnulib). Help? (With many thanks to the several DDs that have already helped on the nearly 10-year journey to get libpaper updated!) -- https://rrt.sc3d.org