Bug#1017892: Ships copies of libraries that are in Debian and autogenerated files that can't be renegerated with the code in Debian main

Simon McVittie smcv at debian.org
Mon Aug 22 10:05:47 BST 2022 

Control: clone -1 -2
Control: retitle -1 librsvg: Has vendored copies of Rust libraries that are in Debian
Control: retitle -2 librsvg: Contains generated files whose source is not necessarily the same version that's in main
Control: tags -1 + help
Control: tags -2 + help

On Mon, 22 Aug 2022 at 10:19:01 +0300, Sebastian Dröge wrote:
> The vendor subdirectory in the librsvg source package contains copies of
> various Rust libraries in specific versions. Some of them are packaged in
> Debian (i.e. the version from Debian should be used), others contain
> autogenerated files for which the original source is not in Debian.

This seems like two separate issues, so I'm cloning it.

Is there ftp team consensus that either or both of these issues are RC?

Regardless of whether they are RC, the GNOME team is unlikely to be
able to solve these without help. In particular, I have been one of
the more frequent uploaders of librsvg in recent years, not because
I *want* to be involved with librsvg, but because *someone* has to do
it (as a dependency of GTK 4 and GNOME, among others). I don't know
Rust or the Rust toolchain, so I am not well-placed to make extensive
structural changes.

The Rust tooling in Debian seems to have a general assumption that
every Rust library is built using Cargo as its top-level build system and
packaged individually (no vendoring). Conversely, because it was gradually
ported from C to Rust, librsvg is built using Autotools (invoking Cargo
internally); and its dependencies are provided as vendored modules. I do
not have sufficient Rust knowledge to fit Debian's Cargo wrappers into
this Autotools build, I certainly do not have sufficient Rust knowledge
to adapt it to be able to cope with having half the dependencies vendored
and the other half coming from external packages, and I am definitely
not the right person to be packaging all the vendored dependencies as
individual Rust libraries.

I already dread having to package a new upstream version of librsvg,
because it means losing several hours of my life to checking a diff and
updating d/copyright. I had been forcing myself to do this work anyway,
because part of being involved in a volunteer project is having to do work
that we don't want to do, but perhaps I should have been refusing to touch
this particular package and letting its occasional CVEs and other RC bugs
go unfixed until someone with the right skillset picked it up? I've done
my best, but I know my best is not good enough. Other Debian contributors
with more time and/or expertise are welcome to step in any time.

If Debian as a project requires librsvg to be maintained in particular
ways, then someone who is capable of doing that work will need to do it,
and I'm sorry but that's not me.

    smcv

More information about the pkg-gnome-maintainers mailing list