-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
On Fri, Feb 26, 2016 at 07:59:29PM +0100, Jonas Smedegaard wrote: > Do we favor tracking the true upstreams when packaging for Debian? There was some discussion about this on the list recently, but this is a question that didn't really come up, AFAIK. IMO, there are two things that matter here: 1. We require source. If the "fake" upstream does not provide that, it is certainly not adequate. IIUC, this is your situation (but I didn't check your links). That is: minified js is not source, and a project including it in its distribution is equivalent to a compiled project including a static library. In both cases, the code must be packaged from its source, and the bundled version must be discarded. This was discussed, and AFAIK what I wrote here is what most (but not all) people agreed with. 2. Needless forking is bad. There is no consent on what is "needless" though. My point is that having multiple copies of a thing that are all treated as source leads to problems. In Debian, we recognize that and one effect of that is that we don't want bundled libraries in packages. In the greater free software community, not everyone sees it this way. Having this opinion in Debian, I think we should use our influence to try to push upstreams the right way. That means we should package real upstream if there are multiple sources to choose from. Another reason for doing this is that future code duplication in Debian is automatically prevented. In your example: if someone needs the serverside version of the package, they would package node-handlebars and then we have two versions of the code in Debian. If the real upstream was used to begin with, that problem would have been avoided. Thanks, Bas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJW0KSPAAoJEJzRfVgHwHE6ZxAQAJnB5S/kKeCJpdIWkyCPAdXe zy4eiDlP7U4HCejSF991dWV+OD2KKn5wdQA26XpuJfd8v06qOVeEh3d3SQvbYXWP oxlfpUo3iuWUXWgxuvphmJFEeZxHN/yavqLbu9vOGmfoyqHJq6osTu3/pxQnc9Ps MU5jyvmbJqAypgB/zzfULz38fuiuyGB7OjDJSB+XkORJMJUVymDr/hrC6QBN2Vxi l8OtoZcrLxjOuKVEimatnR/UAseMVODJ5LBsQ2Qrw5xSWE7MeGAGnxnikTW/nbuk ThugoLcyOn2OWwyz8ziOl7mPfTyqxDHtbeA7gzmZO3ZXzctyeeLCbPZLcTRDg6pe kQxYztIGPxoWABCaUCgkE/nc1L3Jd3zc74L9M71FdyxEx/dzRgWGD8MuWVoGocfN oW83exDm6+gSkxGwR1b2QOemf8GO00HeKxVoy+p07r5Qbk6Y5bnRZvB9TMJqLHNF X2x1isBp/Xon/4tWYQTUrHDwB4XoU/9JWFZ/S0b+dB00oaGU74iVsMxUwKqMp0p2 X69I7H99ISLY1pYXpbFtlFWPD33EbYva8pBbctf7XXN93eupQMX9JAl+lfXFh24U ES4nCiJxMBTzHkAxS48jSTGFrBCh3NzfLjku5aY9LHZ2/DiBgmYpznC1SQIz2Ewe a4r6eN722Hi6w3hXyjv8 =g6Xz -----END PGP SIGNATURE-----