On 08/18/2017 04:50 AM, Hubert Chathi wrote: > [meant to reply to the list, so sending again] > > On Wed, 16 Aug 2017 09:27:49 +0200, Ross Gammon <[email protected]> > said: > >> For node-* stuff however, upstream handle this by bundling a >> particular version of a module in node_modules. If it is "really >> difficult" to patch a node module/app to use the Debian version of a >> library (because the versions have changed too much), then shouldn't >> we bundle the node_module and install it as upstream do it (avoiding >> all the relative path issues)? It could be followed up with a bug >> (severity wishlist/normal?) to remove the bundled module once Debian >> and upstream are more aligned. > Embedding copies of libraries should be highly discouraged. For one > thing, it is agaist policy[1], but it also it makes security support > much harder, you may end up with multiple buggy versions of a library on > your system, and have a bunch of duplication. It may make initial > packaging easier, but it usually makes maintenance harder. > > [1] https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles
The title of this section of policy is actually "Convenience copies of code". It is definitely not a convenience to heavily patch a package just to use a "way out of date" dependency, when it is out of date because many other packages still require that old dependency. I agree that it should be discouraged though, except in rare cases. It is just a normal transition (like in C/C++) after all. Whether it is bundled, or several versions of the same upstream are packaged separately, you still have the issue of code duplication, and the possibility that a security update might be required in several places at the same time. Of course, bundled copies are harder to find. But we can manage that in the team (via a transition bug, and/or a list on the wiki?) while we push all the unwilling upstreams to align on the same version (and nodejs upstreams are REALLY unwilling on this - believe me). I still think it is better to manage multiple copies in the same way that upstream do. It will give a lot less friction upstream. <snip> Cheers, Ross -- Pkg-javascript-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
