Package: dpkg-dev, debian-policy Version: 1.17.27, 3.9.8.0 dpkg-source has a surprising and not-very-well-documented feature, that it is possible to have in a `3.0 (quilt)' package a vendor-specific series file, which is used only if the vendor matches that of the running host.[1]
This feature is a very bad idea. I can see why people thought it might be nice: it means you can use the same (or very similar) .dsc (and perhaps vcs history) on different distros. But it is quite wrong, because it means that the same source package has different "contents" on different computers. For example, if I am a Debian contributor and I download the Ubuntu version of the package and build it to see how it works, I actually get the Debian version. And vice versa. The version of the package you get should depend on where you got the package from, not where you are looking at it. There are only a handful of packages in current Debian that use this feature.[2] Concretely, I would like the following changes made: In dpkg-source: * Remove all traces of this feature from the documentation, except to mention it in the source format 3.0 description as a deprecated feature. * Whenever a package is being extracted has a non-default series file, print a big warning (regardless of whether the non-default series file is going to be used). * Warn that dpkg-source in buster will refuse to generate a `3.0 (quilt)' source package containing non-default series files. * Warn that dpkg-source in buster will never apply anything other than the default series file (reestablishing a uniform meaning of all source packages on all computers). In policy: * Say that a package MUST NOT contain a non-default series file. (obviously with an expectation that these newly-declared RC bugs will not be fixed in stretch) (And the consequential lintian change.) I am not yet supplying patches for dpkg-source and for policy, because I think deprecating this feature will involve some discussion. Ian. PS: Of course I have an angle. dgit depends on the assumption that a source package means a particular tree. This feature breaks that assumption, and as a result dgit must always fail on packages where this feature is in use. [1] in dpkg.git, 4fa01b70df1dc4458daee306cfa1f987b69da58c "dpkg-source: correctly create .pc/.quilt_series with alternate series files" [2] In private email, Guillem wrote to me: It seems it is "documented" (not very explicitly though, search for /debian\.series/ in dpkg-source(1)). And several (but not many) packages at least in Debian use this: ,--- $ apt-file -x -I dsc search 'debian/patches/.*\.series' ddccontrol: /debian/patches/ubuntu.series deluge: /debian/patches/ubuntu.series fail2ban: /debian/patches/neurodebian-backport.series hexchat: /debian/patches/ubuntu.series libfreenect: /debian/patches/neurodebian-backport.series libxbean-java: /debian/patches/bootstrap.series libxbean-java: /debian/patches/full.series libxfce4util: /debian/patches/ubuntu.series lilo: /debian/patches/ubuntu.series mixxx: /debian/patches/ubuntu.series packagekit: /debian/patches/ubuntu.series qjackctl: /debian/patches/ubuntu.series smuxi: /debian/patches/ubuntu.series xfce4-smartbookmark-plugin: /debian/patches/ubuntu.series zlib: /debian/patches/debian.series `--- Not sure if this is more widespread in other derivatives. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.