Re: What to do when DD considers policy to be optional? [kubernetes]
Hi Dimitry, FTP masters and others, I know Dimitry was fighting an uphill battle with kubernetes between 2016 and 2018 and he experienced first hand the problems posed by vendored code. We see more and more software making excessive use of vendored code. Pretty much everything that is written in Go. Some of these are crucially important, like Docker or Kubernetes. So I understand the concern everyone has about how this fits with the Debian Policy. Debian Policy, paragraph 4.13 states: (for your convenience I include it below :) ) https://www.debian.org/doc/debian-policy/ch-source.html#convenience-copies-of-code = 4.13 Convenience copies of code Some software packages include in their distribution convenience copies of code from other software packages, generally so that users compiling from source don’t have to download multiple packages. Debian packages should not make use of these convenience copies unless the included package is explicitly intended to be used in this way. [17] If the included code is already in the Debian archive in the form of a library, the Debian packaging should ensure that binary packages reference the libraries already in Debian and the convenience copy is not used. If the included code is not already in Debian, it should be packaged separately as a prerequisite if possible. [18] [18] Having multiple copies of the same code in Debian is inefficient, often creates either static linking or shared library conflicts, and, most importantly, increases the difficulty of handling security vulnerabilities in the duplicated code. = I think this is the part that has the most bearing on the vendored code problem, especially the footnote. I agree with this principle. But we should apply it to the state of affairs in 2020, and to this specific situation. Keeping all that in mind, here are the reasons why I think it is acceptable for now to package Kubernetes with the vendored code, and even the best solution that is available currently: 1. OTHER EXAMPLES. If we take this paragraph completely literally and to the extreme then other packages are also in violation of it. True, the current packaging of kubernetes does this to a greater extent than its predecessor for example, but perhaps this shows that this section was always open for interpretation. Examples of some prominent packages in Debian that bundle and use the vendored code (in parentheses is the number of go packages bundled, estimate): - docker.io (58, including some that are vendored more than once within the same source package, but not including the fact that docker.io itself is made up of 7 tarballs) - kubernetes (20 for the previous version, 200 now) - prometheus (4) - golang (4) None of these were REJECTed, and please don't sabotage these packages now :-D The idea was only to show that, at least for now, vendoring is a fact in Debian. There is an effort to improve the situation but in the meantime we just go on. Not great, not terrible.. 2. MAINTAINABILITY. Having every single vendored repo available as a separate package in Debian is not feasible. It is true that some of them are already packaged. But the expectation that all of them are (with the exact version that is needed for Kubernetes), is not going to happen. Also, the golang-* packages have a number of different maintainers. Hundreds of such packages would be required to build Kubernetes. So one can be rest assured that every future release in Debian will be blocked on waiting for dozens of these packages to be updated. Dimitry and a few others worked hard on trying to pull this off but even they could not do it. Since 2016 a total of 3 Kubernetes releases made it into Debian/unstable, but there have been 17 major and countless minor upstream releases of Kubernetes. Thousands of issues were fixed upstream, including serious security flaws, these never made it into Debian. Exactly because the packaging was too difficult to maintain. So, how maintainable was that solution then, despite the huge amount of effort put in? In my opinion this shows that the reasoning on maintainability in DP does not apply here. 3. NO FORKS. Debian developers hacking Kubernetes source code, so it compiles with a lucky enough version of a dependency that made it into Debian, makes the Debian version of Kubernetes different from the standard one that everyone expects. This is totally unwelcome by almost every user. No sane cluster admin would dare to use this "fork", ever. There were some attempts to get the Kubernetes contributors to update dependencies to a specific version: https://github.com/kubernetes/kubernetes/issues/27543 . Reading the whole thread helps to put some perspective on this. The Kubernetes contributors were actually quite helpful throughout but they have made it clear that they will not update dependencies for update's sake. Maybe with some projects Debian would have the upper hand, but not with Kubernetes. 4. TESTING. The Kubernetes
Accepted google-authenticator 20170702-2 (source amd64) into unstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 26 Sep 2018 16:45:00 +0100 Source: google-authenticator Binary: libpam-google-authenticator Architecture: source amd64 Version: 20170702-2 Distribution: unstable Urgency: medium Maintainer: Janos Lenart Changed-By: Janos Lenart Description: libpam-google-authenticator - Two-step verification Closes: 908929 Changes: google-authenticator (20170702-2) unstable; urgency=medium . * Updated to use libqrencode4 (Closes: #908929). Checksums-Sha1: af8754155105fb7c099e904205e2c184a209471d 1570 google-authenticator_20170702-2.dsc 8cc47f79adea15a14b1504028338fff08b6db014 4304 google-authenticator_20170702-2.debian.tar.xz 324b40d6540b3c52ef044fa9229e7bc80a200929 6835 google-authenticator_20170702-2_amd64.buildinfo 2ae9699fd6215bfbd2163f0adc4a570c858e8351 60170 libpam-google-authenticator-dbgsym_20170702-2_amd64.deb 9e9fab305450f9967a0cf0b6313ba35772a18b5c 32796 libpam-google-authenticator_20170702-2_amd64.deb Checksums-Sha256: 7092fb84194239620548d401f03c686c0e963311c8b9d1406cf67ff51d06e031 1570 google-authenticator_20170702-2.dsc c0bbba4e4724f21dfa7d49693c269695e02a48a4441f9958bc0d56d84355997b 4304 google-authenticator_20170702-2.debian.tar.xz 6e8c86a0a4d58040f03459715be98ae58f592a1b779d09e4db62eb0c8618f890 6835 google-authenticator_20170702-2_amd64.buildinfo e064bb237259533c2039a033e05fe030afbf983861b5ab57176ff7c22b32e88a 60170 libpam-google-authenticator-dbgsym_20170702-2_amd64.deb 9c14385fc41ca53bb58c50b366bf6b2083d947d38f29c4376fbf35ad0603e675 32796 libpam-google-authenticator_20170702-2_amd64.deb Files: c47e2dc2d72ef8710d14a73117e0640d 1570 admin optional google-authenticator_20170702-2.dsc f993c59ab2f85264130c5c9a7772aaf8 4304 admin optional google-authenticator_20170702-2.debian.tar.xz 897efc8ba3a6c39d8c35d61581fa62cb 6835 admin optional google-authenticator_20170702-2_amd64.buildinfo b2295e3036c829d46fd3e523d92109de 60170 debug extra libpam-google-authenticator-dbgsym_20170702-2_amd64.deb 98de302417f3116a70fd616724d766c3 32796 admin optional libpam-google-authenticator_20170702-2_amd64.deb -BEGIN PGP SIGNATURE- iQFEBAEBCgAuFiEER8wRF8gFmDcPrXi0JHmvJU99vGUFAlurqeMQHG9jc2lAZGVi aWFuLm9yZwAKCRAkea8lT328ZU60CACMtnz2vgN7lHgnuMmL1AkSPYpI0BanGWzL mKSsrvpY3wysFRJJp7iJSQYhYNQ/KvBUsJF5B27/1QuGoqy8onHoRUptfEUxTwi5 aCTUqxYexycebmKwmv9+MWrgyrQCSbLA3B/KkS0Rl71+wM6Rl+c5SOcWIs5RfER3 ACurYb+7jxeJoIG9e1Euhkw0HXkHUCXeEi5akhzqOTy8Uq/P99WE2mRyBcSN6a3r 653UYGyptkoc8TsDnIHrmuBgs18F992lwUanLOG7tyDkzHhYA+s0EoTPOcrXrW5u LFtOIAKsAqCOgNiL2i7Fvq2Kt1Kg8M5U0ACQIgIHAWCYLrvIy3xM =PBoe -END PGP SIGNATURE-
Accepted sshfp 1.2.2-6 (source all) into unstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 26 Sep 2018 13:53:00 +0100 Source: sshfp Binary: sshfp Architecture: source all Version: 1.2.2-6 Distribution: unstable Urgency: low Maintainer: Janos Lenart Changed-By: Janos Lenart Description: sshfp - DNS SSHFP records generator Closes: 826630 Changes: sshfp (1.2.2-6) unstable; urgency=low . * Adopting package. (Closes: #826630) Checksums-Sha1: 505fb6e008e1a04452ac4448d81ce7a6f2d019a7 1468 sshfp_1.2.2-6.dsc 50858ad9d075c26a89935da62c6c35f2ced5b5a7 6168 sshfp_1.2.2-6.debian.tar.xz 33cced244c07f19bd66d7b6b18c8f4b86656be01 24744 sshfp_1.2.2-6_all.deb 2c524cf116f9d3414cedfb894de64a2883a68259 6664 sshfp_1.2.2-6_amd64.buildinfo Checksums-Sha256: 2533fb7329937b83b6e2ebfbf1c1c6d0a6e0aff44f1eeb424d92da73ec7af4be 1468 sshfp_1.2.2-6.dsc 1c5567c6ba56db3b4173aff59704b91f41fd1e618803d962009e6d63520f0d2b 6168 sshfp_1.2.2-6.debian.tar.xz d1ef4d7c500d98253eaa71cf5b7d292fa17f4d10710a37dc6e04ccf951dc0fcd 24744 sshfp_1.2.2-6_all.deb 3d7042a952a32fb648e03be8887378a3821567fe5521fb4f009fce5f5e66b0ba 6664 sshfp_1.2.2-6_amd64.buildinfo Files: df74a8e2dd1d6d4e4783a7f800c30309 1468 net extra sshfp_1.2.2-6.dsc 6de5899ec5b3b830aa07acf5cf39c4a5 6168 net extra sshfp_1.2.2-6.debian.tar.xz 2be8abf48c260dbc6d635fd3367966ee 24744 net extra sshfp_1.2.2-6_all.deb 07a3ef708ae0b2504ba19c96c2d1aa99 6664 net extra sshfp_1.2.2-6_amd64.buildinfo -BEGIN PGP SIGNATURE- iQFEBAEBCgAuFiEER8wRF8gFmDcPrXi0JHmvJU99vGUFAluro4gQHG9jc2lAZGVi aWFuLm9yZwAKCRAkea8lT328ZU/MCACFrhm5h0ARxnfqhtFbXrTn9QOv4nhmPg/z VCdWwJA65YOnc+9N1GKktuKfuYqceaomwhhGmg0da776sK6TJf/awQ+0q/l24LAz /fleNZt/f0KoaROEqiNp1q5bxLr7676gFJ7OKnQNC56+HimpRuW0zxEH9gOpMxi3 Mk5/Qo3MpYX7yikc7pwsfskoJNQftZG2kJAa6wgGuH0zQpgQuErlMVIKbsloGGqR +tV7/4rs5Zmx/OYemtcVOUyu3cVomr2oVIykZRBf3aLDIHoaibGJP0yEZK0lxIOF iRy6Czrv/TVrWijnJtKIdMWEgrKdozbjYD/yvNmeiR0MiWkzsZTo =Zbpn -END PGP SIGNATURE-
Accepted google-authenticator 20170702-1 (source amd64) into unstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sun, 02 Jul 2017 11:02:29 +0100 Source: google-authenticator Binary: libpam-google-authenticator Architecture: source amd64 Version: 20170702-1 Distribution: unstable Urgency: medium Maintainer: Janos Lenart <o...@debian.org> Changed-By: Janos Lenart <o...@debian.org> Description: libpam-google-authenticator - Two-step verification Closes: 864187 Changes: google-authenticator (20170702-1) unstable; urgency=medium . * Upstream update (00065df) (Closes: #864187). Checksums-Sha1: a1636e3f431c4ec4e98eb262e62958c160749370 1570 google-authenticator_20170702-1.dsc 676daeda82925696397da93e856995f39e3bd569 54076 google-authenticator_20170702.orig.tar.gz b25a6d2265a3f6721bfe364d3a29c25a9b270b75 3956 google-authenticator_20170702-1.debian.tar.xz b35030ab4ed90f11a4f89b7d367bc6c9e3e35ddd 6454 google-authenticator_20170702-1_amd64.buildinfo 2f0db7f28392f282346f9eb2695398743483c5ca 60188 libpam-google-authenticator-dbgsym_20170702-1_amd64.deb 57591b5dcda3877c3ddf2d2d5e2a342e7cf3539c 32742 libpam-google-authenticator_20170702-1_amd64.deb Checksums-Sha256: b23ae664c3e31b222c89f4712c4e212c4d5dc56b85c8ae989f6d6707e414b098 1570 google-authenticator_20170702-1.dsc bc813dd4b280d9b38acaeb4d54ca54c224c918f28da13343a0ff4eda9fa75fce 54076 google-authenticator_20170702.orig.tar.gz afa75ae4bdd82965b2043e902b1f4e36c3220db6852109e29c93757613b0aaeb 3956 google-authenticator_20170702-1.debian.tar.xz dc696d8a004a18380621e50ac9b7a3d25363fe2e189df6d066e1ac1e812d29f2 6454 google-authenticator_20170702-1_amd64.buildinfo 52ed464dd50ffd55de4d91d88e08244e9e18d8f3757a0dbb7b31da39c65575cc 60188 libpam-google-authenticator-dbgsym_20170702-1_amd64.deb b613bec7adcbcf9274c9e3726833ade701d8c02b232a51711e72bc8f1bd35ffd 32742 libpam-google-authenticator_20170702-1_amd64.deb Files: 147d2fd3d3a637718661c2f96fcd218a 1570 admin optional google-authenticator_20170702-1.dsc d9fa30f5a9af6b4d44c158899263651d 54076 admin optional google-authenticator_20170702.orig.tar.gz ca1301b1381c9c1ac291fddeeca042e8 3956 admin optional google-authenticator_20170702-1.debian.tar.xz 8175a984d1bf8fa97a529b87959674d5 6454 admin optional google-authenticator_20170702-1_amd64.buildinfo 261b537081d716c933650d20ddbec8e3 60188 debug extra libpam-google-authenticator-dbgsym_20170702-1_amd64.deb 64bbffe2dce558b8e0fda2bb8ac4c61a 32742 admin optional libpam-google-authenticator_20170702-1_amd64.deb -BEGIN PGP SIGNATURE- iQFEBAEBCAAuFiEER8wRF8gFmDcPrXi0JHmvJU99vGUFAllYx6YQHG9jc2lAZGVi aWFuLm9yZwAKCRAkea8lT328ZZrUB/kBr2BisuGnqCQJbYuhtIqWxRhwrxpwH60z T6oveomk5yyzsOv/7Kne7MNyQLMNogRcJFtVS9MKSRyR+BQt/9w8kQgjuf9+iTa6 +dXPosofFECmb3CEimUU0FUHhVsM00TDlvIkVXBaZa5M6IpUOotlCAz0lWQj0v6a tZbssCHp9HMq0n67klKMxJN2P1nqGEa5XXHLg3mwI2AaPR6k33eab/pL5JtDhX2e 38HDKJDvZ/rvpfHy8m3tFb6dXp+SdTxeEzkiXNYBSt0RCczTkh6pVN4X+U7dJqCi 3Sz50+fn3tkGIg+DE2gsChq7Ije/h9Uwhp8ihewVZae1in8tFI0x =BlRc -END PGP SIGNATURE-
Accepted google-authenticator 20160607-2 (source amd64) into unstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Sun, 19 Jun 2016 18:49:09 +0100 Source: google-authenticator Binary: libpam-google-authenticator Architecture: source amd64 Version: 20160607-2 Distribution: unstable Urgency: high Maintainer: Janos Lenart <o...@debian.org> Changed-By: Janos Lenart <o...@debian.org> Description: libpam-google-authenticator - Two-step verification Closes: 826683 827670 Changes: google-authenticator (20160607-2) unstable; urgency=high . * Moved lib to /lib/x86_64-linux-gnu/security/ (Closes: #827670). * Fixed typo in manpage (Closes: #826683). Checksums-Sha1: 3cc64afb3189973bb2c5bce103bf5dce184d1746 1533 google-authenticator_20160607-2.dsc 98c1b1b6c9aa83ad629f0ec25ab90d2d4efdec0a 3904 google-authenticator_20160607-2.debian.tar.xz c12ce2f6287faac8d642acae0480fa97187b96f3 58546 libpam-google-authenticator-dbgsym_20160607-2_amd64.deb 949e7fcc83ad1d89fbe17680d636a23de77b53f1 32038 libpam-google-authenticator_20160607-2_amd64.deb Checksums-Sha256: e51a52e3b773ed144150801d85aaebfcda4c16d079e772528f18d80aaf308cc7 1533 google-authenticator_20160607-2.dsc 0ae312ef4819b97aed55c1a257924f5a6ce64e0f5e9d541946378f63b98c903a 3904 google-authenticator_20160607-2.debian.tar.xz 25ede47daf8ac3231d22a9ab8adc4ca810eb93b2dd707191149329178ee4300d 58546 libpam-google-authenticator-dbgsym_20160607-2_amd64.deb 3b0a44a7ccef48435993ef0570e710765690e5c185ba3ac99cab2e35d991ef6b 32038 libpam-google-authenticator_20160607-2_amd64.deb Files: 428f1ce859461259a9a835948faffc71 1533 admin optional google-authenticator_20160607-2.dsc 3afb347e3bb0264caa325b05e121fa1c 3904 admin optional google-authenticator_20160607-2.debian.tar.xz 74adf924be3365236eeb49b3c9462df7 58546 debug extra libpam-google-authenticator-dbgsym_20160607-2_amd64.deb c9361017250a8fbf418b16293b9df820 32038 admin optional libpam-google-authenticator_20160607-2_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJXZt+WAAoJECR5ryVPfbxltl4H/jg6eZfZVobx4yBwGIJ2RoQ6 XIT4xB4fNGWzqzDPvomXHCRvf/4tGAF1Jgw5vpwOH9xvTIR9O9Ys/Ib/gdt/EwhL nyJECW+PD5jZPEev3vfprjNES25ZIo1JBLm/fLI4ETIG7EzXMraP5uiiaookY1sU p2vojUUwpahed5tGkATlTcTO7s2/pOQ0P2uhEGOZBK7DZjIzykEGpLqqpEV8a+F6 85oZfLK6lsmgIvFJisnFbwSpmmfQDuBDnUNNQZ7LLbMws/f795Qocl8WVtOz6+3e C3G3EbWT0mHeGIE6IPQ/8172tPywcwY33vX4t5lbMdOpyL1FGRrOaO+dhnIft5Q= =XoJs -END PGP SIGNATURE-
Accepted google-authenticator 20160607-1 (source amd64) into unstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Tue, 07 Jun 2016 16:59:57 +0100 Source: google-authenticator Binary: libpam-google-authenticator Architecture: source amd64 Version: 20160607-1 Distribution: unstable Urgency: low Maintainer: Janos Lenart <o...@debian.org> Changed-By: Janos Lenart <o...@debian.org> Description: libpam-google-authenticator - Two-step verification Changes: google-authenticator (20160607-1) unstable; urgency=low . * Upstream update (6d45740) Checksums-Sha1: bfb732b1b4092885d0ca72d83736fd13a05057f6 1533 google-authenticator_20160607-1.dsc 1cfc3de8e8835e68408eab9b6e32d071338b75b6 41225 google-authenticator_20160607.orig.tar.gz 6ee9c42b728ec9d6221df79a62bac3189a44b96b 3780 google-authenticator_20160607-1.debian.tar.xz ff7058a48903793fed34b46021bf2679a8faa141 58538 libpam-google-authenticator-dbgsym_20160607-1_amd64.deb 6b02b933544776fecc837d5a60b8012d8e519abd 31994 libpam-google-authenticator_20160607-1_amd64.deb Checksums-Sha256: b806321727a06c9c39a9085f62ba5cc577ddc499db5742bdebc3ad1e1eb11618 1533 google-authenticator_20160607-1.dsc 3300b83c26aa6481136e735ca286ca73a3690f38356654cc086da1792165 41225 google-authenticator_20160607.orig.tar.gz c1467c80529ecd1e097751b164a5f0727a0a248fd8f7093c053143693d06306d 3780 google-authenticator_20160607-1.debian.tar.xz c8ef3c165b251e4b24518e6ba22ae98795b5cbb2f65a3ec957813d67e523322f 58538 libpam-google-authenticator-dbgsym_20160607-1_amd64.deb 83be12834ee073fbaef8098caf428bd7f92a7e0c972bd423706a685f546534b3 31994 libpam-google-authenticator_20160607-1_amd64.deb Files: 6c2243b749c83cba37df2df207d3ad2c 1533 admin optional google-authenticator_20160607-1.dsc ddc32e5c62471f74f4dfa958a36d76c0 41225 admin optional google-authenticator_20160607.orig.tar.gz d40df9bbded35ec804c6c6eb632b7319 3780 admin optional google-authenticator_20160607-1.debian.tar.xz 9a8caa278601233a18f843b153f8d945 58538 debug extra libpam-google-authenticator-dbgsym_20160607-1_amd64.deb 3502c82ee46e67531b9071be68b39a47 31994 admin optional libpam-google-authenticator_20160607-1_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJXVw3HAAoJECR5ryVPfbxliKcH/1hBTGWQCX85aO901r1VtjNx McfUTfICRbmJL1OkqFCPjCB1mM7U4ReUNlV5K6g6gdjvvoBiuxT9m+hiB43MaPSi //ocdXzFZErOXlFA845wllxKeUyD9TnNiUmu/jpHw0DebZwYK96gQvx7HtIWHqYC 0P4sF3c1gW5bghdumHd94kiVDI9/f9GB9Rwzj1kDzGVkgs03sJthzwC5jp4gzgBI oi4K/Uwyi/nfA14Y0krJ8bR97uU+QduYzKuuT8R6CDjvTbB343wYmmF5cJDtYft5 lqjRzNcyYuyqsiqg1aTySjvnfNahvUhtoFEIHcHjuHqtYv26nmdLQNN/eN5R09E= =jDcu -END PGP SIGNATURE-
