On 08/18/2017 04:50 AM, Hubert Chathi wrote:
> [meant to reply to the list, so sending again]
>
> On Wed, 16 Aug 2017 09:27:49 +0200, Ross Gammon <javascr...@the-gammons.net> 
> said:
>
>> For node-* stuff however, upstream handle this by bundling a
>> particular version of a module in node_modules. If it is "really
>> difficult" to patch a node module/app to use the Debian version of a
>> library (because the versions have changed too much), then shouldn't
>> we bundle the node_module and install it as upstream do it (avoiding
>> all the relative path issues)? It could be followed up with a bug
>> (severity wishlist/normal?) to remove the bundled module once Debian
>> and upstream are more aligned.
> Embedding copies of libraries should be highly discouraged.  For one
> thing, it is agaist policy[1], but it also it makes security support
> much harder, you may end up with multiple buggy versions of a library on
> your system, and have a bunch of duplication.  It may make initial
> packaging easier, but it usually makes maintenance harder.
>
> [1] https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles

The title of this section of policy is actually "Convenience copies of
code". It is definitely not a convenience to heavily patch a package
just to use a "way out of date" dependency, when it is out of date
because many other packages still require that old dependency.

I agree that it should be discouraged though, except in rare cases. It
is just a normal transition (like in C/C++) after all.

Whether it is bundled, or several versions of the same upstream are
packaged separately, you still have the issue of code duplication, and
the possibility that a security update might be required in several
places at the same time. Of course, bundled copies are harder to find.
But we can manage that in the team (via a transition bug, and/or a list
on the wiki?) while we push all the unwilling upstreams to align on the
same version (and nodejs upstreams are REALLY unwilling on this -
believe me). I still think it is better to manage multiple copies in the
same way that upstream do. It will give a lot less friction upstream.

<snip>

Cheers,

Ross

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to