On Tue, Feb 27, 2018 at 02:13:41PM +0100, Didier 'OdyX' Raboud wrote:
>...
> In other words, vendorization is the tool that allows developers to get rid
> of
> distribution constraints and get on with their development through installing
> the dependencies from their ecosystem as they see fit (non-root), in the
> (eventually precise) version they need. But using these "upper-layer"
> management tools (pip, npm, bower, you-name-it), one doesn't get the
> constraints from the distribution, but one doesn't get the benefits from the
> distribution either. And Debian (amongst others) has value to offer to these
> layers too: DFSG-freeness, traceability, reproducibility, a common package
> format and a set of tools, etc.
You omitted "security support", which is essential for any real-world usage.
> It would be really sad if Debian was incrementally reduced to only the
> "boring" lower layers,
>...
#MDGA (Make Debian Great Again)
More seriously, our priority should be to help users getting working
and security-supported systems.
Distribution-agnostic formats like flatpak might become a good option
when people always want/need the latest upstream version.
An ancient version with known vulnerabilities and no security support
in stable is clearly worse than whatever the management tools of the
upstream ecosystem would install.
The first question should always be if/how we can provide something that
is better than what is already available elsewhere.
The worst case would be if we have to tell more frequently to users
"Please don't use the packages in our stable release." because they
are worse than alternatives.
> Cheers,
> OdyX
>...
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
