Differences between revisions 31 and 32
Revision 31 as of 2012-01-10 16:01:57
Size: 20655
Comment:
Revision 32 as of 2012-02-02 09:56:34
Size: 20722
Editor: ThomasKoch
Comment:
Deletions are marked like this. Additions are marked like this.
Line 165: Line 165:
See [[Java/UpstreamHints]] for more java specific informations.

Introduction

This page is aimed at upstream developers who would like their software to be packaged for Debian, or whose software is already packaged for Debian. It attempts to document what we do with your software, the resources we make available to you and what you can do to make the packaging process smoother. If you require any clarifications or have any questions about this document, please direct them to the debian-upstream mailing list.

See also

"Distribution-friendly projects" by Diego Pettenò - part 1, part 2, part 3.

How you know your Free or Open Source Software Project is doomed to FAIL (wiki version) by Tom Callaway. See also the associated This is why you FAIL talk by Tom at SCALE 2011.

Packaging Unix software by Adam Sampson

Releasing FLOSS for Source Installation by David A. Wheeler.

The java packaging nightmare... by Vincent Fourmond

Upstream hints for Java developers by folks at FOSDEM 2010

The real problem with Java in Linux distros by Thierry Carrez (LWN comments)

How to be forkable and not get forked by Mel Chua

Free Software Project Management HOWTO by Benjamin Mako Hill

A blog series by François Marier:

Rules for distro-friendly packages by Enrico Weigelt

Releasing Free/Libre/Open Source Software (FLOSS) for Source Installation by David A. Wheeler

How to be a good upstream for games by Debian/Fedora/etc games teams

Writing a C library by David Zeuthen /!\ (includes some advice that can be considered controversial)

How to be a good upstream, a FOSDEM 2010 talk by Petteri Räty of Gentoo (there's also a video available at the FOSDEM 2010 distributions devroom video archive).

Physics Software Rant by Kevin B. McCarty

The cost of going it alone by Dave Neary (LWN comments)

Initial Packaging

Pristine Upstream Source

The source code archive should only contain source code, never any files that are created for the specific system during compilation. We recognize that it is fairly common to ship lexer and parser code or compiled documentation as part of the source package so administrators building from source do not need to install the build tools, however we need to rebuild all generated files to make sure that they can really be built from source, so please include methods to regenerate these files. For some guidelines about source for artwork, audio etc, please take a look at the games link above.

It appears that the "rebuild everything" rule is applied inconsistently, for example, most packages do not rebuild the files generated by autoconf and automake. This is mainly for historical reasons, since these tools broke often during automatic builds.

Please do not include other packages that are also shipped separately inside your source archive, or if you do, please make sure that these can be reliably ignored. If a security issue is found in other included packages, it is far easier to rebuild one package than to scan the entire archive for all copies of this code and patch them individually (this happened for zlib, for example).

(why we'd like to have a single .tar.gz archive from you, at least for the time being)

Many upstream code sources tend to include a rough /debian directory among source files to ease bleeding-edge package compilation and installation on debian (and derived) systems; while this is a good effort, it would be better to leave it out of the final tarball as it can interfere with debian's own packaging effort. Keeping it only in your VCS repository is usually a much saner default.

Licenses

The DFSGLicenses page has a lot of information about the various licenses currently found in Debian.

  • Please do not write your own license text if you can at all avoid it. Depending on your wishes, the GPL, LGPL or a BSD-style license will most likely be appropriate, and it is far easier to tell whether something is allowed if we can look at past discussions of the same text.

  • There is usually no need for different "types" of files to have different licenses. It really complicates matters as all the license terms need to be followed at the same time, and if two are incompatible, we cannot distribute the package at all.
  • Please document copyright attribution in each file, and add statements placing the code under the chosen license to the copyright holders. Email addresses or company contacts for copyright holders should be listed either in the individual files, or in a file called "AUTHORS"

  • Include the full text of all licenses used in the top-level directory.
    • If more than one license is in use in the package, a file "COPYING" that lists files and their licenses, and individual files "GPL" "LGPL" with the unmodified license text would be ideal.

    • Packages with a single license can simplify this by using the full license text as the "COPYING" file.
  • Please keep copyright information up to date.
  • If your chosen license is GPL, please don't depend on libraries with incompatible licenses (such as OpenSSL)

Releases and Versions

Each time you reach a point in development of your software where you feel everything generally works and you've fixed a variety of bugs or implemented some interesting new features, please release a downloadable tarball with a version number. This doesn't necessarily mean that you have to keep supporting that version afterwards if you're short of resources, so long as you make that clear. But please don't develop only in a version control repository and with snapshots, or do releases only as tags. It makes it much more difficult to grab a stable point that you think generally works. A distro needs to pull in this stable point rather than an automatic snapshot which inadvertently happened in the middle of some known transition or partial development.

Each time you make a new release, give it a new version number which is greater than the previous version number. (This sounds obvious, but it's amazing how often this doesn't happen.) If anything changes, please give the new release a new version number. Even if what changed was fixing an obvious mistake or accident and the previous version wasn't usable, always give the new release a new version number.

Version numbers are only useful if they increase every time something changes. There are an infinite number. You won't run out. It's far more useful to know that version numbers always increase and that everyone with version N has identical code than it is to hit psychologically-significant numbers or to set version numbers to meet past plans about what would go into which version.

Be bold about increasing version numbers. Don't get trapped in sub-sub-sub-versions. Don't be scared about crossing magic numbers. Call it v1.0 not v0.9.8.93. You will be moving on to v1.1 soon enough when problems are found.

Consider committing to long-term support of versions of your software in stable releases of major distros. If this is a problem, discuss it with the distros before they make a release.

Hardcoded Paths

Debian's Policy requires that Debian packages follow the Filesystem Hierarchy Standard for file locations. It should also be noted that Debian packages are not installed into /usr/local. Thus Debian config files are found in /etc, and manual pages in /usr/share/man. If your program normally installs these to a different location please be sure to provide a mechanism to change the locations without patching the source. Use of environment variables for this purpose is recommended.

  • Support foo.d for configuration.

Dependencies

  • Be clear about dependencies (including versions).
  • Avoid dependency versions not available in the latest release of major distros, unless that takes a lot of effort.
  • Avoid dependencies on unreleased versions (such as VCS snapshots)
  • Avoid dependencies on the patches applied in specific distributions

Test suites

  • Have an automatic test suite to run during build time.
  • If possible, have a test suite to run against the installed software.

Security

  • Be careful about security. Respond promptly to security problems.

Bug tracking

  • Have and use an open bug tracker.
  • Have and use an open version control system.

Your Build System

General Considerations

No Downloads

You should never assume that Internet access is available during building. Debian is often installed from CDs or DVDs in places without connectivity, where those packages could not be rebuilt.

Out-of-Tree Builds

Please ensure that your software can be built from outside the source tree, both from in entirely different locations and from specific subdirectories of the source tree.

If you are using autotools then you can check this by running make distcheck. This will export a release tarball and run some dummy builds using it.

The reason for this is that if your software can be built in different ways, we need to build all of them in different directories. Sometimes we also need to be able to build your software for multiple architectures at the same time.

Cleaning the Tree

(if out-of-tree works, we can rm -rf the build tree, otherwise we need clean targets that remove anything that can be automatically rebuilt, including generated source)

Including a file in your distribution and then modifying it as part of the build is confusing and leads to spurious differences that appear to be Debian-local modifications unless the packager takes special care. Files of this type should instead be generated from a template with a different file name, the way that Autoconf handles config.h, generated from config.h.in, and the generated file removed in your clean or distclean target and not included in the distribution.

Installation

Please honor the DESTDIR environment variable or make variable and use its contents as a prefix in front of all installation paths. (Supporting changing prefix at make install time without changing any of the paths built into the software is also good practice, but not strictly necessary if DESTDIR is used.) Automake's make distcheck will verify that your package supports this, as well as out-of-tree builds and other best practices, so if you're using Automake, that's a nice check to do before a release.

After running make, running make install should not rebuild any files and in particular shouldn't encode any new paths. Otherwise, it's very hard to install the software in a temporary staging area without including the paths to the staging area in the final software (which in the case of RPATH can even be a security concern).

Assume that none of the directories into which you're installing files may not already exist and create them if necessary using mkdir -p (possibly via the $(MKDIR_P) macro provided by Autoconf and Automake), install -d, installdirs, or some similar technique.

Autoconf and Automake

If you use config.guess and config.sub, please make a habit of always copying the latest versions from ftp.gnu.org or some other source (such as /usr/share/misc on a Debian system with autotools-dev installed) into your package when you release. If you use autoreconf, it can do this for you automatically provided that you keep your local system version up to date. Most of your users may not care about the changes, but Debian often does, since Debian supports a wide variety of architectures.

(we like it, but keep it fresh :) )

Make

(we sort of like it)

Some make variables are reserved to the user, and the Automake manual and the GNU coding standards advise to never use them for switches that are required for proper compilation of the package. When a Debian binary package is built, environment variables such as CFLAGS and CXXFLAGS are set by dpkg-buildpackage and may override the corresponding variables in the Makefile. We therefore strongly recommend to follow the above advice.

SCons

Please don't use SCons, we will have to re-implement many standard features of autoconf/automake; DESTDIR, out of tree builds, cleaning and more.

waf

Using waf as build system is discouraged. One of the reasons is the recommendation to ship a waf executable in every single package using it, instead of using a system wide one. Also note that just shipping the waf executable (which contains a binary blob) is considered to be not complient with the Debian Free Software guidelines by the FTP Team. Please see #645190 and UnpackWaf for more details on the issue and how to avoid it, if you have to use waf.

Java

As it happens way too often: please do not ship any prebuilt class or jar files or any other generated files without accompanying source code and do not download such files during the build process. Please document each dependency and in particular: where can its source code be obtained.

Apache ant is a very popular build tool for Java code and it is easy to use for Debian packaging, too.

See Java/UpstreamHints for more java specific informations.

Perl

Please use one of the standard Perl build systems, either Module::Build or ExtUtils::MakeMaker, and please try not to modify it in too many odd ways. That helps greatly in preparing packages.

Please remember that builds need to be done unattended and provide some mechanism to set defaults or bypass any prompts with known answers.

(we like stuff from CPAN, why?) (plugins => see above)

Here is a link to the debian-perl group's internal policy regarding perl packages in debian pkg-perl policy.

Python

(they have a standard way of packaging too) (plugins => see above)

  • please do not break API/ABI unless you really have to (it's very common among Python developers to break it in every second release)
  • please do not bundle local copy of 3rd party modules, we will remove it anyway
  • please do not depend on unreleased (sic!) or unstable versions of 3rd party libraries

OCaml

Please help us in supporting architectures for which the native code compiler (ocamlopt) is not available. Practically this mean to support in your build tool (makefile or corresponding) one of the following 2 behaviors:

  1. automatically detect whether ocamlopt is available or not, build native code objects/executables only if this is the case, install native code executables only if they have been built
  2. provide different make targets (or corresponding tool invocations) to build and install bytecode stuff vs native code stuff. Usual names for that are: all vs opt (to build bytecode/native code stuff) and install vs install-opt

(other languages with their own deployment tools)

After initial packaging

If your package has been packaged for Debian, thank you and congratulations. We hope that you will get new users. There are some resources that you may want to take advantage of:

  • http://packages.qa.debian.org/package where package is the name of the package in Debian. This page is a portal to all kinds of information. You can subscribe to Package Tracking System (PTS) to be mailed when there is a new release or when a user reports a new bug.

  • http://bugs.debian.org/package where package is the name of the package in Debian. This page lists all bugs that have been reported by Debian users. We would be delighted if you would help to solve them, propose patches or fix them upstream.

Note that subscription to PTS is recommended but optional. The Debian maintainer will forward you bugs that need your help or your interest.

  • Mailing lists: debian-devel and debian-project.

Branching

(why we maintain ancient versions in stable) (what to do if you think we shouldn't do this)

If you fix bugs, please try to have only the bug fix in the commit. This will let us more easily backport the fix to the version included in a Debian release.

Upgrades

(converting old system wide data) (converting old user data)

Downstream Patches

(we need your help in understanding your package) (please add unit tests even for functionality you believe is trivial so we can see if a patch breaks something)

  • If distros tell you something in your code makes life hard for them, seriously consider fixing it.
  • Accept improvements to build systems, so distros can avoid using workarounds for a long time.

Porting

You can view the build logs for packages at buildd.d.o and buildd.d-p.o. These can be useful for discovering build failures and compiler warnings that occur on less common architectures.

Be mindful about portability. Debian releases for a number of architectures and kernels.

GettingPorted - things to keep in mind when developing a program or packaging it so that it remains portable.

Branding

Do not brand your software as part of any particular distribution, since that will need to be removed every time your software enters a new distribution.

Optionally provide build-time or run-time ways for distributors to add branding and other per-distribution settings to your software.