On Sat, Apr 12, 2008 at 12:20 AM, Jan Hauke Rahm <[EMAIL PROTECTED]> wrote:
> I'm working on a package that includes some php libs (e.g. pear > packages). Some of those are already packaged for debian so it'd be > better at all if I'd set a dependency on it and don't ship the code > again, right? It is better that absolutely none of the embedded php libs are included/used/shipped in the .deb. If they are not packaged separately, the security team will not be happy at all. > First of all my question is how to do that. Can I just create a symlink > to the other package or must I modify the upstream source to look at the > right place (without using links)? I'd suggest reading the draft debian webapps policy and asking about this on the debian webapps list. I imagine your app has a config.php in which you can set the default php include path. > And the next question is: what can I do if upstream uses a modified > version of that lib? Is there a proper way to ship just the > modifications and for the rest use the files of the lib package? There is no proper way to ship embedded forks. Instead the fork should be merged upstream or dropped. Fix your app upstream so that it does not need the modifications, or get the php lib upstream to include the modifications and get that into Debian. The most acceptable hacky way to do it would be to create a libfoo-modified-php package that build-depends on the original version (libfoo-php), copy and apply a patch at build time, then ship the patched version in the libfoo-modified-php binary package. Then your webapp can depend on libfoo-modified-php. If there is *any* code duplicated in the source/binary package from other software, the security team must be notified of the situation so they can fix security issues properly. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
