Re: Q: Debian position on bundled libraries
On 23/08/18 12:01, Paul Wise wrote: Hi, thanks for replies! > On Thu, Aug 23, 2018 at 3:51 PM, Alec Leamas wrote: > >> It's not that I don't understand your reasoning. Still, if this is the >> conclusion, it's kind of sad because it's means that a price-awarded [1] >> application won't be packaged in Debian. Upstream is very clear on this. > > Please note that I only mentioned my personal opinion, in practice > Debian's opinion is that bundling is fine, even of unmodified stuff > that is already packaged and especially for modified or unpackaged > things. There are tons of code/data copies in the archive, many of > which are registered with the security team (see the wiki page linked > earlier) and many which are not. OK, if all agrees on this I would be happy... Note that the approach in [2] is that we are trying to do our homework and unbundle things we "can", so to speak. >> the embedded communities would really need a pure Debian package. > Hmm, why would Flatpak not work for them? Flatpak isn't that space effective, the downloads are large. Multiple downloads are de-duplicated, but it's still a lot of bytes. OTOH, it could be argued that any system using OpenCPN needs a lot of storage for charts. But still... >> Fedora today basically allows bundling. > > I thought they actually had a similar policy to Debian; if possible, > try not to bundle but if you cannot avoid it, fine. We only use > "should" after all. Perhaps not that different from what you describe here [1] Cheers! --alec [1] https://fedoraproject.org/wiki/Packaging:Guidelines#Bundling_and_Duplication_of_system_libraries [2] https://github.com/OpenCPN/OpenCPN/issues/1124
Re: Q: Debian position on bundled libraries
On Thu, Aug 23, 2018 at 3:51 PM, Alec Leamas wrote: > It's not that I don't understand your reasoning. Still, if this is the > conclusion, it's kind of sad because it's means that a price-awarded [1] > application won't be packaged in Debian. Upstream is very clear on this. Please note that I only mentioned my personal opinion, in practice Debian's opinion is that bundling is fine, even of unmodified stuff that is already packaged and especially for modified or unpackaged things. There are tons of code/data copies in the archive, many of which are registered with the security team (see the wiki page linked earlier) and many which are not. > the embedded communities would really need a pure Debian package. Hmm, why would Flatpak not work for them? > Fedora today basically allows bundling. I thought they actually had a similar policy to Debian; if possible, try not to bundle but if you cannot avoid it, fine. We only use "should" after all. -- bye, pabs https://wiki.debian.org/PaulWise
Re: Q: Debian position on bundled libraries
On 23/08/18 09:26, Paul Wise wrote: > On Thu, Aug 23, 2018 at 12:59 PM, Alec Leamas wrote: > >> Here is some libraries to unbundle; this could certainly could be done, >> However, the core issue is a few libraries which cannot realistically be >> unbundled. One example is mygdal, a heavily patched subset of the gdal >> package. >> So, before proceeding with this work I'd like to know how to handle a >> situation like this. Under what conditions (if any) is bundling actually OK? > > Personally, I don't think it is ever acceptable. It's not that I don't understand your reasoning. Still, if this is the conclusion, it's kind of sad because it's means that a price-awarded [1] application won't be packaged in Debian. Upstream is very clear on this. OTOH, it will be available as a flatpak package (sandboxed, FWIW) which should satisfy most users. But the embedded communities would really need a pure Debian package. I also note that this was the position in Fedora (some years ago I actually felt that Debian was more flexible then Fedora on this). Fedora today basically allows bundling. Fedora is not Debian, though. Cheers! --alec [1] https://opencpn.org/OpenCPN/info/newspgI.html
Re: Q: Debian position on bundled libraries
Le jeudi 23 août 2018 à 09:31:09+0200, Alec Leamas a écrit : > On 23/08/18 08:34, Pierre-Elliott Bécue wrote: > > Le jeudi 23 août 2018 à 06:59:45+0200, Alec Leamas a écrit : > >> [may I keep bundled libraries?] > > Thanks for reply! > > > I'd say that as soon as there's no other way of having your package work > > (right, there's always another way, but my guess is that we don't expect > > someone to do hours of work that'll be a pain in the ass to maintain just > > for that, especially if the bundled library is a patched set of the original > > one) properly, it won't be a problem > Looking at [1], do you agree that this is along these lines? It's an excellent start. But I guess for gdal, it could be worth trying to ping both upstreams to find a solution that works fine without embedding. Even for OpenCPN it's probably worth it not to maintaining this fork by themselves. > > That said, you'll have to reference properly the d/copyright file, > > I have updated d/copyright in [2]. > > > and you > > should probably strip out all trivially out-strippable libraries that are > > already packaged in Debian or packageable by themselves. > > ... and be done with it. If we could confirm this, that's what I'm > actually looking for. In a previous packaging attempt this window seemed > very small [3], but there has been water under bridges since that > discussion. I can't really help with this, being out of time for now. :( > > [1] https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles > > Yes... but the interpretation of this is the very issue here. It's IMHO > far from crystal-clear. Yes, and I guess it's probably designed that way willingly. The whole question is to decide wether the risk an embedded copy is acceptable or too high. Mind that in the end, the FTP team has the final say regarding this matter. To try to have an explicit strict rule is the best way to face issues that could be avoided. -- Pierre-Elliott Bécue GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2 It's far easier to fight for one's principles than to live up to them. signature.asc Description: PGP signature
Re: Q: Debian position on bundled libraries
On 23/08/18 08:34, Pierre-Elliott Bécue wrote: > Le jeudi 23 août 2018 à 06:59:45+0200, Alec Leamas a écrit : >> [may I keep bundled libraries?] Thanks for reply! > I'd say that as soon as there's no other way of having your package work > (right, there's always another way, but my guess is that we don't expect > someone to do hours of work that'll be a pain in the ass to maintain just > for that, especially if the bundled library is a patched set of the original > one) properly, it won't be a problem Looking at [1], do you agree that this is along these lines? > That said, you'll have to reference properly the d/copyright file, I have updated d/copyright in [2]. > and you > should probably strip out all trivially out-strippable libraries that are > already packaged in Debian or packageable by themselves. ... and be done with it. If we could confirm this, that's what I'm actually looking for. In a previous packaging attempt this window seemed very small [3], but there has been water under bridges since that discussion. > [1] https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles Yes... but the interpretation of this is the very issue here. It's IMHO far from crystal-clear. Cheers! --alec [1] https://github.com/OpenCPN/OpenCPN/issues/1124 [2] https://github.com/OpenCPN/OpenCPN/pull/1100 [3] https://lists.debian.org/debian-mentors/2011/05/msg4.html
Re: Q: Debian position on bundled libraries
On Thu, Aug 23, 2018 at 12:59 PM, Alec Leamas wrote: > Here is some libraries to unbundle; this could certainly could be done, > However, the core issue is a few libraries which cannot realistically be > unbundled. One example is mygdal, a heavily patched subset of the gdal > package. gdal has had one security issue in the past and I wouldn't be surprised if it had one in the future, since it is basically a collection of file format parsers. As such I am not sure using a fork of it is a good idea. It would be best to work with both upstreams to resolve the delta. https://security-tracker.debian.org/tracker/source-package/gdal > So, before proceeding with this work I'd like to know how to handle a > situation like this. Under what conditions (if any) is bundling actually OK? Personally, I don't think it is ever acceptable. -- bye, pabs https://wiki.debian.org/PaulWise
Re: Q: Debian position on bundled libraries
On Thu, Aug 23, 2018 at 2:34 PM, Pierre-Elliott Bécue wrote: > Per Debian's Policy section 4.13[1], the embedding of a code from an > other software packages should be avoided, unless the included package is > explicitly intended to work this way. In addition: https://wiki.debian.org/EmbeddedCodeCopies https://wiki.debian.org/UpstreamGuide#No_inclusion_of_third_party_code -- bye, pabs https://wiki.debian.org/PaulWise
Re: Q: Debian position on bundled libraries
Le jeudi 23 août 2018 à 06:59:45+0200, Alec Leamas a écrit : > [may I keep bundled libraries?] Hi Alec, Please note that I'm a little new to the Policy and these packaging questions, so my thoughts probably require to be confirmed by a more experimented person. Per Debian's Policy section 4.13[1], the embedding of a code from an other software packages should be avoided, unless the included package is explicitly intended to work this way. I'd say that as soon as there's no other way of having your package work (right, there's always another way, but my guess is that we don't expect someone to do hours of work that'll be a pain in the ass to maintain just for that, especially if the bundled library is a patched set of the original one) properly, it won't be a problem. That said, you'll have to reference properly the d/copyright file, and you should probably strip out all trivially out-strippable libraries that are already packaged in Debian or packageable by themselves. HTH. [1] https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles -- Pierre-Elliott Bécue GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2 It's far easier to fight for one's principles than to live up to them. signature.asc Description: PGP signature
Q: Debian position on bundled libraries
Dear list, Still investigating packaging opencpn[1]. In this context I have looked into the bundling [2]. Here is some libraries to unbundle; this could certainly could be done, However, the core issue is a few libraries which cannot realistically be unbundled. One example is mygdal, a heavily patched subset of the gdal package. So, before proceeding with this work I'd like to know how to handle a situation like this. Under what conditions (if any) is bundling actually OK? I deliberately avoid the "convenience copy" term used by the Policy Manual since i think the term bundled is more accurate here - the plain copies are not a problem. Cheers! --alec [1] https://opencpn.org/ [2] https://github.com/OpenCPN/OpenCPN/issues/1124
