> I think Debian has never been afraid of tackling hard problems and we
> should find a third way.
> I don't want to lower the quality of what we have built so far, so while
> it's technically possible to build .deb and include a bundle of libraries
> pinned at the correct version, I don't think that this should allowed into
> the main archive.
> However I also think that Debian has to provide all those hard-to-package
> applications to end users. Right now, my gut feeling is that the best
> approach is probably to rely on containers built out of Debian
> binary packages for the plumbing and with the language-specific package
> management tool for the application libraries. The role of the Debian
> developer is then to maintain a recipe file that is used to build the
> container (and future updated versions) and to provide some integration
> with the host to export/import data out of the application (think
> backup/restore). Since Debian would start to provide many containers like
> those, we would likely also start to build infrastructure to manage those
> containers, including some way to identify security vulnerabilities
> present in the container and a lintian for containers. And we would draft
> a policy for how to manage an application in a container, etc.
If we do this, we need to security-track the application libraries in
language-specific tools (e.g. pip), what are we dropping in quality
/work compared to auto-packaging from the language? while we don't
typically want to package 10,000 python packages for the sake of it, if
we need pyfoo (1.2) and are tracking it for security anyway, perhaps we
should write script python auto-packaging scripts,etc.
(Presuming licenses are automatically managed - taking license info from
pip / github, etc).
> Our core value is here and we can still provide value to our users in
> the new world that is emerging around us. We should just stop to be afraid
> of it.
Alastair McKinstry, <alast...@sceal.ie>, <mckins...@debian.org>,
Commander Vimes didn’t like the phrase “The innocent have nothing to fear,”
believing the innocent had everything to fear, mostly from the guilty but in
the longer term
even more from those who say things like “The innocent have nothing to fear.”
- T. Pratchett, Snuff