I am the upstream maintainer of libpaper (which used to be a pure-Debian project), and also a Debian Maintainer trying to get a new version of
libpaper into Debian. (It involves an API/ABI transition, from the current libpaper1 to libpaper2.)
Bastian Germann (
bage@debian.org) is kindly helping with the packaging and sponsoring my upload.
I just got a rejection for libpaper_2.0.3-1 from ftp-master (in this case, Thorsten Alteholz), who said "I didn't find any explanation why you
embedded a copy of gnulib in your source tarball. Do you really need that?"
Like many GNU packages, my rewrite of libpaper uses gnulib, a source
library that's effectively a polyfill for POSIX & GNU APIs, and my libpaper releases distribute some gnulib source files as part of the release
tarball. Other Debian packages that work this way include coreutils and
grep.
Some other Debian packages build-depend on Debian's gnulib package. This
won't necessarily work for libpaper, because gnulib is not versioned:
libpaper depends on a specific commit of gnulib, and there are often bug
fixes or API changes.
Bastian asked me to build-depend on gnulib, which I have so far declined to
do, as that would make the Debian package's sources effectively different
from those that I release as upstream maintainer.
Also, a build-depend on gnulib would not directly address Thorsten's
problem with the package, as the source archive would still contain gnulib sources (although maybe it would be OK if they weren't used?). I had a look
at a package that does build-depend on gnulib, wget2, and its source
tarball contains gnulib files.
I have searched the debian-devel archives and found a few reference s to gnulib, but no definitive ruling about how gnulib should be treated.
Bastian rightly points out that by including gnulib sources, packages such
as coreutils cannot easily be updated for security bugs in gnulib; but to
me this seems to be a problem with gnulib itself (it's a source library,
that's how it works), rather than with the packaging of programs that use gnulib.
Another of Bastian's suggestions is that I base the Debian package on a git snapshot, as that does not include gnulib files; but this still has the
problem that the Debian package would not be built from a release of
libpaper.
I am a bit torn here: with my DM hat on, stripping out gnulib sources where possible and using Debian's gnulib package seems the right thing to do.
With my upstream hat on it leads potentially to bug reports that don't correspond to an upstream release; and further few Debian packages that use gnulib actually seem to use this method (there are 26 build-rdeps of
gnulib).
Help? (With many thanks to the several DDs that have already helped on the nearly 10-year journey to get libpaper updated!)
--
https://rrt.sc3d.org
<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">I am the upstream maintainer of libpaper (which used to be a pure-Debian project), and also a Debian Maintainer trying to get a new version of
libpaper into Debian. (It involves an API/ABI transition, from the current libpaper1 to libpaper2.)</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:
arial,helvetica,sans-serif;font-size:small">Bastian Germann (<a href="mailto:
bage@debian.org">
bage@debian.org</a>) is kindly helping with the packaging and sponsoring my upload.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-
serif;font-size:small"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">I just got a rejection for libpaper_2.0.3-1 from ftp-master (in this case, Thorsten Alteholz), who said "I didn't find any
explanation why you embedded a copy of gnulib in your source tarball. Do you really need that?"</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:
arial,helvetica,sans-serif;font-size:small">Like many GNU packages, my rewrite of libpaper uses gnulib, a source library that's effectively a polyfill for POSIX & GNU APIs, and my libpaper releases distribute some gnulib source files as part of
the release tarball. Other Debian packages that work this way include coreutils and grep.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:arial,
helvetica,sans-serif;font-size:small">Some other Debian packages build-depend on Debian's gnulib package. This won't necessarily work for libpaper, because gnulib is not versioned: libpaper depends on a specific commit of gnulib, and there are
often bug fixes or API changes.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">Bastian asked me to build-
depend on gnulib, which I have so far declined to do, as that would make the Debian package's sources effectively different from those that I release as upstream maintainer.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-
serif;font-size:small"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">Also, a build-depend on gnulib would not directly address Thorsten's problem with the package, as the source archive would
still contain gnulib sources (although maybe it would be OK if they weren't used?). I had a look at a package that does build-depend on gnulib, wget2, and its source tarball contains gnulib files.</div><div class="gmail_default" style="font-family:
arial,helvetica,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">I have searched the debian-devel archives and found a few reference s to gnulib, but no definitive ruling
about how gnulib should be treated. Bastian rightly points out that by including gnulib sources, packages such as coreutils cannot easily be updated for security bugs in gnulib; but to me this seems to be a problem with gnulib itself (it's a source
library, that's how it works), rather than with the packaging of programs that use gnulib.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:arial,
helvetica,sans-serif;font-size:small">Another of Bastian's suggestions is that I base the Debian package on a git snapshot, as that does not include gnulib files; but this still has the problem that the Debian package would not be built from a
release of libpaper.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">I am a bit torn here: with my DM hat
on, stripping out gnulib sources where possible and using Debian's gnulib package seems the right thing to do. With my upstream hat on it leads potentially to bug reports that don't correspond to an upstream release; and further few Debian
packages that use gnulib actually seem to use this method (there are 26 build-rdeps of gnulib).<br></div><div><br></div><div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">Help? (With many thanks to the several
DDs that have already helped on the nearly 10-year journey to get libpaper updated!)<br></div><br></div>-<span class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">- </span><br><div dir="ltr" class="gmail_signature" data-
smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><a href="
https://rrt.sc3d.org" target="_blank">
https://rrt.sc3d.org</a></div></div></div></div></div>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)