On 19/05/25 06:36, Yifei Zhan wrote:
Could you please put that branch somewhere? Maybe on Salsa, I'd like to see what scale we are dealing with. Honestly I'm not sure if we have enough bandwidth within Debian to keep them secure and up-to-date in the long run....
See [1]. They're 50 deps. The remaining 20-30 I remember were probably inside arti's workspace (I first went with a per-crate packaging, then switched to using the arti workspace as a whole). An arti workspace draft only packaging the application (i.e. no libs) is at [2]. This is from about one year ago, so keep in mind I'm giving you very outdated information. Even the upstream package I worked on is more polished than [2].
I don't think the biggest issue is one of bandwidth. I think there's an issue of tooling and an issue of stability. For the tooling, I would say we need support for suite branches in debcargo-conf so we're able to push security updates more easily. Still, there's a limit beyond which it's very difficult to go with stable updates. For instance, what happens when upstream updates to clap 5 eventually and we have to introduce tens of packages in stable to provide a security update, if these are only pushed to the last release? To properly deal with security, I believe upstream should probably provide LTS releases (when they feel they're ready to do so). Unfortunately, this is easier said than done as it's very hard to guarantee that their dependencies would have the same level of support.
[1] https://salsa.debian.org/NoisyCoil/debcargo-conf/-/commits/package-arti-deps
[2] https://salsa.debian.org/NoisyCoil/arti
