Bug#950926: ember: Using packages to install "snap" packages is not a correct use of the packaging system

Sat Feb 8 17:25:20 GMT 2020

Hi Manuel,

Thanks for your bug report and thanks for your thoughts. However, at
this point I'm inclined to respectfully disagree with you on this subject.

On 2/8/20 8:44 AM, Manuel A. Fernandez Montecelo wrote:
> Package: ember
> Version: 0.8.0~snap1
> Severity: serious
>
> Hello,
>
> I don't think taht using this package as an empty shell and a gateway to install
> the "snap" package [1] is a valid use of the packaging system.

Not only is this use listed in Policy [1] under the contrib section
(where I'm moving the two packages I've done this with, pending NEW) but
a number of other packages (in contrib) do exactly the same thing. Flash
[2] being the obvious example. I'd also like to point out that I asked
about this course of action back in December [3] and no one raised any
concerns. So it's a little frustrating that after I've done all the work
to convert the packages I'm now getting feedback saying I shouldn't have
done it.

> Otherwise, if this was an accepted practice, we could start to have many
> packages which are just a way to install snap packages, which can easily contain
> security vulnerabilities and install not free software, specially if the version
> is not restricted in some way.  And this not generally expected by users of
> Debian, IMO.

This is a fair concern. However, I think that users *do* expect this of
packages in contrib. Pabs made a good argument in a different bug report
about this issue and convinced me. I'm going with that.

However, I do agree that this shouldn't be *normal*. Ideally, we should
host source code and build the packages ourselves, in main. In this
case, I see this as a gap-filler while the upstream packages go through
a period of extreme instability. Upstream is very small and this process
is likely to last more than a year. I structured the transitional
packages, and annotated a comment in d/copyright, explaining that this
is a temporary step to have a usable package (for Debian users who opt
in to contrib) until upstream stabilizes and I can package it in main again.

> If users want to install Snap packages, they can always do so on their own.

They can. I'm just trying to provide a transition path that will
eventually lead to the main packaging of the updated upstream software.

> So please reconsider and either package the game properly or drop this package
> altogether.

FWIW, I am planning to temporarily drop the supporting Worldforge
libraries [1] since they will just be taking up space in the archive and
they'll get pulled back in to a user's system once Ember and Cyphesis
return to main.

Again, I want to clarify that I am open to inputs (and I appreciate
yours) and I'm happy to continue the discussion if you have additional
points that you think I should consider. But I really wish that these
concerns had been brought up back in December...

> [1] https://salsa.debian.org/games-team/ember/blob/master/debian/ember.preinst

-Olek

[1]
https://www.debian.org/doc/debian-policy/ch-archive.html#the-contrib-archive-area
[2] https://packages.debian.org/sid/flashplugin-nonfree
[3] https://lists.debian.org/debian-devel-games/2019/12/msg00000.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-games-devel/attachments/20200208/f34e1eb6/attachment.sig>