Introduction

This page is aimed at upstream developers who would like their software to be packaged for Debian (why would you want this?), or whose software is already packaged for Debian. It attempts to document what we do with your software, the resources we make available to you and what you can do to make the packaging process smoother. If you require any clarifications or have any questions about this document, please direct them to the debian-upstream mailing list. For futher, more extensive advice on making your project more friendly to Debian and other Free Software distributions, please refer to the External advice section below.

Initial Packaging

Pristine Upstream Source

The source code archive should only contain source code, never any files that are created for the specific system during compilation. We recognize that it is fairly common to ship lexer and parser code or compiled documentation as part of the source package so administrators building from source do not need to install the build tools, however we need to rebuild all generated files to make sure that they can really be built from source, so please include methods to regenerate these files. For some guidelines about source for artwork, audio etc, please take a look at the games advice in the External advice section above.

It appears that the "rebuild everything" rule is applied inconsistently, for example, most packages do not rebuild the files generated by autoconf and automake. This is mainly for historical reasons, since these tools broke often during automatic builds.

Please do not include other packages that are also shipped separately inside your source archive, or if you do, please make sure that these can be reliably ignored. If a security issue is found in other included packages, it is far easier to rebuild one package than to scan the entire archive for all copies of this code and patch them individually (this happened for zlib, for example).

(why we'd like to have a single .tar.gz archive from you, at least for the time being)

Many upstream code sources tend to include a rough /debian directory among source files to ease bleeding-edge package compilation and installation on debian (and derived) systems; while this is a good effort, it would be better to leave it out of the final tarball as it can interfere with debian's own packaging effort. Keeping it only in your VCS repository is usually a much saner default.

Source only tarball

Please provide an archive of your source code as tar.{gz,bz2,lzma,xz} file since that's what our toolchain can currently work with.

Debian needs to make sure that it distributes the source code for all binaries in its archives. Debian achieves this by building all binaries itself, from your source code.

If your software depends on other libraries, then Debian also needs to make sure that your software compiles and works with the version of these libraries available in Debian. Debian may compile your software against another version of some library than you do. Therefore it's not of any help for Debian if you include convenience copies of these dependencies in your source tarball.

If you distribute precompiled binaries with your source code, then the Debian Maintainer has extra work to strip out these binaries and repackage your tarball. However this is not an ideal situation, since Debian would prefer to build the software packages it provides from the original tarballs you released.

Licenses

The DFSGLicenses page has a lot of information about the various licenses currently found in Debian.

Releases and Versions

Each time you reach a point in development of your software where you feel everything generally works and you've fixed a variety of bugs or implemented some interesting new features, please release a downloadable tarball with a version number. This doesn't necessarily mean that you have to keep supporting that version afterwards if you're short of resources, so long as you make that clear. But please don't develop only in a version control repository and with snapshots, or do releases only as tags. It makes it much more difficult to grab a stable point that you think generally works. A distro needs to pull in this stable point rather than an automatic snapshot which inadvertently happened in the middle of some known transition or partial development.

Each time you make a new release, give it a new version number which is greater than the previous version number. (This sounds obvious, but it's amazing how often this doesn't happen.) If anything changes, please give the new release a new version number. Even if what changed was fixing an obvious mistake or accident and the previous version wasn't usable, always give the new release a new version number.

Version numbers are only useful if they increase every time something changes. There are an infinite number. You won't run out. It's far more useful to know that version numbers always increase and that everyone with version N has identical code than it is to hit psychologically-significant numbers or to set version numbers to meet past plans about what would go into which version.

Be bold about increasing version numbers. Don't get trapped in sub-sub-sub-versions. Don't be scared about crossing magic numbers. Call it v1.0 not v0.9.8.93. You will be moving on to v1.1 soon enough when problems are found.

Consider committing to long-term support of versions of your software in stable releases of major distros. If this is a problem, discuss it with the distros before they make a release.

Hardcoded Paths

Debian's Policy requires that Debian packages follow the Filesystem Hierarchy Standard for file locations. It should also be noted that Debian packages are not installed into /usr/local. Thus Debian config files are found in /etc, and manual pages in /usr/share/man. If your program normally installs these to a different location please be sure to provide a mechanism to change the locations without patching the source. Use of environment variables for this purpose is recommended.

Dependencies

Test suites

Security

Bug tracking

Version Control System

Please provide read access to your version control system.

Git

Using Git as your VCS might be a very good choice. Git is also the most widely used VCS for packaging in Debian and mandatory for Fedora. If you're using Git then you make it much easier for (many) Debian maintainers to submit patches and review changes between versions.

Debian needs to make sure that it really packages your original source code; source code repositories can be compromised. One easy way to do so is to rely on the tag signing capability of Git together with the web-of-trust. So please tag your releases with

git tag -s $YOUR_VERSION

This wiki provides further information on creating and signing GPG keys and finding somebody to sign your key.

Your Build System

General Considerations

No Downloads

You should never assume that Internet access is available during building. Debian is often installed from CDs or DVDs in places without connectivity, where those packages could not be rebuilt.

Out-of-Tree Builds

Please ensure that your software can be built from outside the source tree, both from in entirely different locations and from specific subdirectories of the source tree.

If you are using autotools then you can check this by running make distcheck. This will export a release tarball and run some dummy builds using it.

The reason for this is that if your software can be built in different ways, we need to build all of them in different directories. Sometimes we also need to be able to build your software for multiple architectures at the same time.

Cleaning the Tree

(if out-of-tree works, we can rm -rf the build tree, otherwise we need clean targets that remove anything that can be automatically rebuilt, including generated source)

Including a file in your distribution and then modifying it as part of the build is confusing and leads to spurious differences that appear to be Debian-local modifications unless the packager takes special care. Files of this type should instead be generated from a template with a different file name, the way that Autoconf handles config.h, generated from config.h.in, and the generated file removed in your clean or distclean target and not included in the distribution.

Installation

Please honor the DESTDIR environment variable or make variable and use its contents as a prefix in front of all installation paths. (Supporting changing prefix at make install time without changing any of the paths built into the software is also good practice, but not strictly necessary if DESTDIR is used.) Automake's make distcheck will verify that your package supports this, as well as out-of-tree builds and other best practices, so if you're using Automake, that's a nice check to do before a release.

After running make, running make install should not rebuild any files and in particular shouldn't encode any new paths. Otherwise, it's very hard to install the software in a temporary staging area without including the paths to the staging area in the final software (which in the case of RPATH can even be a security concern).

Assume that the directories into which you're installing files may not already exist and create them if necessary using mkdir -p (possibly via the $(MKDIR_P) macro provided by Autoconf and Automake), install -d, installdirs, or some similar technique.

Optimisation

You should never optimise for the CPU that is being used for the build by default. Debian buildd machines often support more CPU features than the baseline supported by individual Debian architectures, so if you optimise for the build machines then users will probably get crashes due to illegal instructions. If you want to build additional optimised versions of libraries, they should be installed in hardware capabilities directories documented in the ld.so(8) manual page.

Autoconf and Automake

If you use config.guess and config.sub, please make a habit of always copying the latest versions from ftp.gnu.org or some other source (such as /usr/share/misc on a Debian system with autotools-dev installed) into your package when you release. If you use autoreconf, it can do this for you automatically provided that you keep your local system version up to date. Most of your users may not care about the changes, but Debian often does, since Debian supports a wide variety of architectures.

(we like it, but keep it fresh :) )

Make

(we sort of like it)

Some make variables are reserved to the user, and the Automake manual and the GNU coding standards advise to never use them for switches that are required for proper compilation of the package. When a Debian binary package is built, default environment variables are prepared by dpkg-buildflags (In Debian Wheezy: CFLAGS, CPPFLAGS, CXXFLAGS, FFLAGS and LDFLAGS), to allow the build system to override the corresponding variables in the Makefile. We therefore strongly recommend to follow the above advice, and to make your makefiles use these variables were relevant, in a way that our build system can override them.

SCons

Please don't use SCons, we will have to re-implement many standard features of autoconf/automake; DESTDIR, out of tree builds, cleaning and more.

waf

Using waf as build system is discouraged. One of the reasons is the recommendation to ship a waf executable in every single package using it, instead of using a system wide one. Also note that just shipping the waf executable (which contains a binary blob) is considered to be not complient with the Debian Free Software guidelines by the FTP Team. Please see #645190 and UnpackWaf for more details on the issue and how to avoid it, if you have to use waf.

Java

As it happens way too often: please do not ship any prebuilt class or jar files or any other generated files without accompanying source code and do not download such files during the build process. Please document each dependency and in particular: where can its source code be obtained.

Maven is a very popular build tool for Java code and it is easy to use for Debian packaging, too. It does provide a documentation of dependencies in the pom.xml files and we can point Maven to dependencies available in Debian and detain it from downloading anything.

Perl

Please use one of the standard Perl build systems, either Module::Build or ExtUtils::MakeMaker, and please try not to modify it in too many odd ways. That helps greatly in preparing packages.

Please remember that builds need to be done unattended and provide some mechanism to set defaults or bypass any prompts with known answers.

(we like stuff from CPAN, why?) (plugins => see above)

Here is a link to the debian-perl group's internal policy regarding perl packages in debian pkg-perl policy.

Python

(they have a standard way of packaging too) (plugins => see above)

OCaml

Please help us in supporting architectures for which the native code compiler (ocamlopt) is not available. Practically this mean to support in your build tool (makefile or corresponding) one of the following 2 behaviors:

  1. automatically detect whether ocamlopt is available or not, build native code objects/executables only if this is the case, install native code executables only if they have been built
  2. provide different make targets (or corresponding tool invocations) to build and install bytecode stuff vs native code stuff. Usual names for that are: all vs opt (to build bytecode/native code stuff) and install vs install-opt

(other languages with their own deployment tools)

After initial packaging

If your package has been packaged for Debian, thank you and congratulations. We hope that you will get new users. There are some resources that you may want to take advantage of:

Note that subscription to PTS is recommended but optional. The Debian maintainer will forward you bugs that need your help or your interest.

Branching

(why we maintain ancient versions in stable) (what to do if you think we shouldn't do this)

If you fix bugs, please try to have only the bug fix in the commit. This will let us more easily backport the fix to the version included in a Debian release.

Upgrades

(converting old system wide data) (converting old user data)

Downstream Patches

(we need your help in understanding your package) (please add unit tests even for functionality you believe is trivial so we can see if a patch breaks something)

Porting

You can view the build logs for packages at buildd.d.o and buildd.d-p.o. These can be useful for discovering build failures and compiler warnings that occur on less common architectures.

Be mindful about portability. Debian releases for a number of architectures and kernels.

GettingPorted - things to keep in mind when developing a program or packaging it so that it remains portable.

Branding

Do not brand your software as part of any particular distribution, since that will need to be removed every time your software enters a new distribution.

Optionally provide build-time or run-time ways for distributors to add branding and other per-distribution settings to your software.

External advice

Here are some similar guides for upstream developers:

Ubuntu's Upstream Guide

"Distribution-friendly projects" by Diego Pettenò - part 1, part 2, part 3.

How you know your Free or Open Source Software Project is doomed to FAIL (wiki version) by Tom Callaway. See also the associated This is why you FAIL talk by Tom at SCALE 2011. /!\ includes some advice that large successful projects like Linux, Qt, and GTK do not heed.

Packaging Unix software by Adam Sampson

Releasing FLOSS for Source Installation by David A. Wheeler.

The java packaging nightmare... by Vincent Fourmond

Upstream hints for Java developers by folks at FOSDEM 2010

The real problem with Java in Linux distros by Thierry Carrez (LWN comments)

How to be forkable and not get forked by Mel Chua

Free Software Project Management HOWTO by Benjamin Mako Hill

A blog series by François Marier:

Rules for distro-friendly packages by Enrico Weigelt

Releasing Free/Libre/Open Source Software (FLOSS) for Source Installation by David A. Wheeler

How to be a good upstream for games by Debian/Fedora/etc games teams

Writing a C library by David Zeuthen /!\ (includes some advice that can be considered controversial)

How to be a good upstream, a FOSDEM 2010 talk by Petteri Räty of Gentoo (there's also a video available at the FOSDEM 2010 distributions devroom video archive).

Physics Software Rant by Kevin B. McCarty

The cost of going it alone by Dave Neary (LWN comments)