[Build-common-hackers] Bug#311724: cdbs: Automatic update of debian/control, first paragraph, broken

Joerg Jaspert Joerg Jaspert <joerg@debian.org>, 311724@bugs.debian.org
Fri, 03 Jun 2005 00:08:01 +0200

Content-Transfer-Encoding: quoted-printable

Package: cdbs
Version: 0.4.30
Severity: normal

Hi Maintainer,

First of it: Im *not* after getting cdbs to die or something which I
already heard from some, it is *this* one mis-feature im against.

Im talking about the "Update Build-Depends on the fly" thing and the bad
things that it produces.

Sorry, but Packages with such autogenerated build-dependencies should
not go in our archive, for various reasons, the biggest one is:

=2D Modifying them on the fly can mean that they change without you noticing
  it. This is not bad for the actual built you do, but now think about later
  builds. Our autobuilders will get the changed Build-Dependencies and then
  may built a different thing.
  Or think about NMUs (eg. for RC fixes and stuff) or in worst case even
  security updates.

A few examples of autogenerated Build-Dependencies which I found in NEW
are (trimmed for line-size):
1: debhelper (>=3D4.2.0), cdbs (>=3D0.4.23-1.1), build-essential,
   debhelper (>=3D4.1.0), quilt, patchutils (>=3D0.2.25),
   cdbs (>=3D0.4.27-1), python-dev

  Note: I havent doubled the debhelper or cdbs ones, they ARE this way.

2: cdbs (>=3D 0.4.23-1.1), build-essential, debhelper (>=3D 4.1.0),
   patchutils (>=3D 0.2.25)
  Note: Here it is mainly b-e - maybe related to an older bug in cdbs,
   but still an example.

I could paste more, but would make mail unneccessary long. :)

A solution to this thing is simple:

  Add another target in the cdbs thing, that is *never* called automaic
  in the build-process, only if the maintainer runs it with debian/rules
  target and let that one do the update thingie. Of course maintainer
  needs to look if it is correct then.

The only exception from modifying something in the first paragraph of
debian/control is the uploaders field, as it would be insane for some big
group-maintained package to do that by hand, but thats it.

bye Joerg
"That's just f***ing great, now the bar for being a cool guy in free
software just got raised. It used to be you just had to write a million
lines of useful code. Now you've got to get a subpoena from SCO to be cool."

Content-Type: application/pgp-signature

Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Joerg Jaspert <joerg@debian.org> -- Debian Developer