Hi John, On Sat, Sep 4, 2021 at 4:34 PM John Goerzen <[email protected]> wrote: > > What is the usual path forward here? > I'm not sure about the more general case. > Thoughts?
I wish someone with your experience and reputation were to propose a general solution to the vendoring problem. [1] [2] It also surfaces frequently in many other languages, such as Rust or Haskell. I see two general solutions: (a) Co-existing, versioned source packages with automatic, nightly imports into Debian. (b) Fully vendored uploads with centralized version tracking and patching to address security and other concerns. Debian seems to pursue some path to (a), but different source versions do not generally co-exist. I am also told that the archive is straining under too many installables. The Node team at least has been told to double up source packages via the multiple tarball mechanism, even though run-time access to the sources is actually more important for them and other interpreted languages like Perl than for any of the compiled languages (like Go). My preference is probably (b). It would focus the archive on executables and shared libraries for users rather than developers, who have other ways to get source code for the software they are writing. It would also ensure that anyone who gets sources can build them, although deduplication could become a concern. Kind regards Felix Lechner [1] https://bugs.debian.org/971515 [2] https://lwn.net/Articles/843313/
