This page is a discussion place for the choices of the tools used in the Debian Games Team

Please add your answers, reasons and name for each question

If you are in a rush, you might want to jump to the [#bottom conclusions] (no pun intended).

Old discutions

Libs: Should we provide .so when upstream only provide .a

Gonéri Le Bouder

I think we should not fight when upstreams don't want to deal with the ABI. We should provide a libpackageversion-dev package only. Such library are not widely used, that's why I think security binNMU are acceptable.

Miriam Ruiz

The advantages of shared objects over static libraries are really huge, and at some point it would be important to soify them. I plan to do that with that library at least. I'm just a bit concerned about if this is the time to do it, not about whether it should be done.

What about security problems with .a files in stable? it doesn't escalate very well, to need to do a lot of binNMUs in stable. In SID or testing it might be an option, but stable?

Bradley Smith

There is also the obvious security issues with only providing static libraries, in that if there is a security issue in the static library, all packages built against it will need to be rebuilt, this was the main reason I created shared libraries for plib, but could the risk be considered insignificant? After all they are only games libraries... (Mostly?)

Also I don't think creating shared libraries is much of an issue, as long as it's done properly, the easiest way obviously being to patch the build system directly, so as to create the shared libraries as upstream would, hacking them on top really isn't very good as it's likely to violate policy in other ways (i.e. the old plib package, not linked against dependencies). But obviously doing this is easier said than done with some build systems, and I agree there is still a lot of overhead/potential problems with patching things autotools build systems.

GerfriedFuchs

If there are only very few packages who depend on the library, it might work out. The more dependencies there are the more bigger headaches we get, both from binNMU requests and especially from a security point: If there is a problem in a static library you will have to update all build-depending packages. So where possible, upstream should definitely get educated on the topic and what it means to the users of their library. If upstream doesn't want to use basic considerations on compatibility issues propably they won't have too many people using their libraries anyway because it becomes a headache for the people using the library, too.

Wen-Yen Chuang

For the "bullet" case, its upstream author do not keep back-compatibility between releases. So binNMUs may cause working applications broken. In this situation, I think static-library-only is the best option.

I do not think we can keep all the different versions for a single library. Projects which want to use "bullet" should include everything needed in their-own tarball to prevent such compatibility issue.

"bullet" has much nice 3D demos, so it is worthy to be packaged even other projects may have their own "bullet".

Andres Mejia

In these types of cases, you could create shared libs with release type version (i.e. libbullet-<version>.so) to alleviate the problem with ABI breakages. Ogre uses this type of SO versioning.

Conclusions

  1. Use Debhelper, avoid CDBS.
    • Explanation: Every maintainer knows how to use ?DebHelper, as it is the current de facto standard in Debian. CDBS and other packaging systems, including packaging from scratch, make a difficult entry barrier for new people in the group and for sponsors.

  2. Use a patching system, preferably quilt but dpatch is also acceptable.
    • Explanation: If we don't modify the sources directly, we don't have to store all of them in the versioning system. Having individual patches for individual changes makes everything more clear. Using a patching system instead of relaying in SVN logs makes the package analysis independent of SVN. We won't make usage of the diff.gz files to store the changes to the programs.
    • Exception: Some exceptional situatios can lead to an exception to this rule, for example autotools bootstrapping.
  3. Every modification to the orig file should be contained in the debian/ directory.
    • Explanation: If we keep the changes confined to that directory, we can guarantee that the original sources won't be touched directly, and everyone in the group can see at a glance which part belongs to Debian and which belongs to upstream.
  4. Only the debian/ directory should be stored in the SVN system.
    • Explanation: It makes it more clear to handle, download and work with.
  5. Original tarballs should go to http://pkg-games.alioth.debian.org/tarballs/

    • Explanation: It makes more sense having them stored in a directory than in SVN or a versioning system.
    • You can achieve that by a command in the spirit of

scp vegastrike_0.4.3.debian1.orig.tar.gz alioth.debian.org:/home/groups/pkg-games/htdocs/tarballs

  1. TODO

Some tips on how to use patches efficiently (Thanks Linas Žvirblis):