Bazaar .deb packaging through PPAs - pros and cons

Martin Pool mbp at sourcefrog.net
Wed Dec 19 22:47:59 GMT 2007


> Is it only on edge, or can it be accessed from:
>
> https://launchpad.net/~bzr/+archive
>
> (I would assume the latter, but I didn't know if PPA was still for beta-testers
> only.)

Yes, it's there too.

(For those who may be wondering: "edge" is a different Launchpad
server that runs pre-release code looking at the same database;
Launchpad beta testers get automatically redirected to it so it tends
to creep into my urls.  I should edit it out but can forget.)

> >  * Somewhat less setup for a new person who wants to build packages -
> > although the pbuilder script actually makes it fairly trivial.  Most
> > of the knowhow is in making the package though, so this doesn't save
> > much.
>
> pbuilder is a local side script?

Yes, pbuilder (apt-get install pbuilder) is a script that manages
installing and using a chroot containing a minimal version of another
ubuntu or debian release.

> >  * Anyone in the ~bzr group can upload a new source package;
> > authentication is done through the usual mechanism.  So there's less
> > latency in waiting for a particular person to update the package, or
> > upload it into the archive.
>
> In the past we were rather casual at who we let into the ~bzr group. I know you
> changed it to a moderated group. I'm just curious about permission levels,
> though. It is one thing to have someone able to join a group to let them have
> access to marking bugs closed/triage them. As well as to get automatic emails
> for all bugs related to the project.
>
> It is a bit different to give them write permission on the "official" Bazaar
> branches. And then again to give them write permission on the official release
> archive. Though if they have write perms to ~bzr/bzr/trunk, I'm fine giving
> them write perms to ~bzr/+archive.
>
> I guess this is more that there should be some granularity between having
> permissions to handle bugs, and having permissions to define what is official
> code from the project. (Bugs can be trivially re-triaged, releasing a version
> of code with a back-door in it is a project injuring thing.)

The other notable thing they can do is create (and modify?) download
files.  So it is a fair level of trust.  I went through the list a
while ago and checked that everyone there really was active in the
project, and removed some people who are not.  (We were getting a lot
of applications to join from people I'd never heard of, I think just
out of general enthusiasm.)

I believe anyone can set bug status, maybe only project members can
set severity.

So for now let's just be careful about who's in ~bzr and leave it at
that.  You might raise this trust issue on the Launchpad list...

> >  * It can build amd64 packages for people who only have an i386
> > machine (like me.)
>
> That is nice. Though why dpkg/etc can't cross-build seems a little strange. gcc
> has supported target platforms for a long time.

It's possible in dpkg.  The problem is usually in build
scripts/makefiles/whatever that don't allow for cross-compiling - I
doubt whether python modules can be easily cross-compiled, for
example.  Maybe.

> >  * Also, at the moment it only builds for Ubuntu, not Debian.  (Though
> > again, there seems to be interest in supporting both.)
> >
>
> This is probably a bigger issue. Though don't the Debian people have their own
> archive on one of the official debian sites?

Talking to Jelmer later, he said not to worry too much about this:
they get packages into sid fairly quickly, and into backports after
that.  Possibly we should use the backports.d.o system to make bzr for
older debian releases.  All other things being equal having our
release in the official archive rather than just in our own is better.

Robert pointed out these gaps: when Debian is freezing for release
those updates may not happen; Debian may not package rcs; and the
backport updates may not get enough attention.

> > So for this release at least, I'm inclined to let PPA build all the
> > packages, and then copy them into the repository in bazaar-vcs.org,
> > keeping that as the definitive location.
>
> I think this is a decent transitional step. The more we can get automated and
> fostered off into other systems, the happier I am.

Since I wrote that, I have got most of the packages rebuild at least
on grumpy, and in the ppa.  As a person with some but not a great deal
of Debian packaging experience, I found it noticeably easier than
maintaining the archive myself.

-- 
Martin



More information about the bazaar mailing list