r2325 - in zope2.12/trunk/debian (README.source changelog)

Thu Jun 23 20:27:55 UTC 2011

Date: Thursday, June 23, 2011 @ 20:27:54
  Author: mejo
Revision: 2325

add debian/README.source

Added:
  zope2.12/trunk/debian/README.source
Modified:
  zope2.12/trunk/debian/changelog

Added: zope2.12/trunk/debian/README.source
===================================================================

--- zope2.12/trunk/debian/README.source	                        (rev 0)
+++ zope2.12/trunk/debian/README.source	2011-06-23 20:27:54 UTC (rev 2325)
@@ -0,0 +1,43 @@
+Debian packages of the Zope2 application server
+-----------------------------------------------
+
+IN A NUTSHELL: Zope2 Debian packages include copies of many dependencies, of
+               which some even exist as seperate Debian packages. This is
+               especially important to know for the Security Team. Read on
+               to understand why this situation is necessary.
+
+ Since version 2.12, the Zope2 application server is no longer released as
+monolithic tarball. Instead, a modularized approach is taken. Many Zope
+dependencies (so-called 'eggs') are developed and released independently
+from each other. The Zope2 upstream authors suggest to use a build system
+called 'buildout'. In a nutshell, buildout takes a list of required python
+and Zope dependencies with the exact version number, fetches all these eggs
+from the Python Package Index (pypi.python.org), and merges them into a
+isolated python environment.
+
+ This build system has major drawbacks. The most important one for Debian is,
+that it is incompatible to the FHS, doesn't work for distribution packages,
+and ignores integration in a system at all. Instead it creates a jailed python
+environment for every single application, making software upgrades and security
+support a huge mess.
+
+ Even worse, most Zope2 dependencies don't care about backwards compatibility
+at all. Often, even minor versions include incompatible API changes. This is
+the main reason, why it's impossible to package Zope eggs modularized, and let
+the Zope2 application server depend on it.
+
+ This leads to the ugly but necessary fact, that the Zope2 package sources in
+Debian are a merge of the Zope2 application server and all Zope dependencies.
+The orig.tar.gz is created by the 'get-orig-source' target of the debian/rules
+build script.
+
+ We (the Debian Zope2 Maintainers) are aware of the problems with this
+situation. The biggest problem is code duplication: The sourcecode of already
+packaged Zope eggs is duplicated in the Zope2 source packages.
+
+ If the situation ever improves (e.g. Zope eggs upstream start to care about
+backwards compability), the Zope2 packages should be updated to use the Debian
+packaged Zope dependencies.
+
+ -- Jonas Meurer <mejo at debian.org>  Thu, 23 Jun 2011 22:19:36 +0200
+

Modified: zope2.12/trunk/debian/changelog
===================================================================
--- zope2.12/trunk/debian/changelog	2011-06-23 18:51:49 UTC (rev 2324)
+++ zope2.12/trunk/debian/changelog	2011-06-23 20:27:54 UTC (rev 2325)
@@ -21,8 +21,9 @@
     - Remove unused lintian overrides package-contains-empty-directory and
       file-in-unusual-dir
     - Add lintian override wrong-path-for-interpreter for python wrapper
+  * Add a debian/README.source to explain the current packaging approach.
 
- -- Jonas Meurer <mejo at debian.org>  Thu, 23 Jun 2011 20:01:39 +0200
+ -- Jonas Meurer <mejo at debian.org>  Thu, 23 Jun 2011 22:24:17 +0200
 
 zope2.12 (2.12.11-1) unstable; urgency=low
 


