[py3porters-devel] Bug#782762: python-qrcode: Please add python3 package

Stuart Prescott stuart at debian.org
Thu May 21 04:10:15 UTC 2015 

Hi all,

Thanks for the comments.

> > * move to pypi.debian.net instead of chasing pypi upstream pages
[...]
> > -opts=pgpsigurlmangle=s/$/.asc/
> > https://pypi.python.org/packages/source/q/qrcode/qrcode-(.*).tar.gz
> > +opts=pgpsigurlmangle=s/$/.asc/
> > http://pypi.debian.net/qrcode/qrcode-(.*).tar.gz
> This moves from an https URL to a cleartext http URL.  This seems like
> an overall loss to me, even at the cost of "chasing" pypi a bit.  I'd
> generally prefer to stick with the secure URL.  If pypi isn't being
> stable, maybe we should ask them if they can try to stabilize?

The download is still gpg signed and I'd trust the gpg signature in preference 
to an https URL.

The "fixed" version of pypi that is claimed to provide stable URLs is hideous 
to work with:

	https://pypi.python.org/packages/source/q/qrcode/

(the embedded md5sum in the URLs makes for a tedious regexes that no human 
should be required to write or understand).

As an aside, we see places like sourceforge, pypi, bitbucket etc breaking 
uscan on a regular basis which then requires us to update 4-digit numbers of 
packages. I'd rather have the single point of failure under our control (so we 
fix pypi.d.n once to deal with a new setup) rather than having to update 1000 
packages again.

> I note you didn't update the debhelper version requirements (or
> debian/compat) to 9, as recommended in
> 
>  https://wiki.debian.org/Python/LibraryStyleGuide

There are no practical benefits to doing so for this package, but yes, it may 
as well be updated. Yes, we should include a versioned dependency on debhelper 
just in case someone wants to backport to squeeze.
 
> I also note that the updated d/rules doesn't include PYBUILD_NAME, which
> i understood was a necessary value to export.

There is no requirement to do that. The style guide linked to above implies 
you do but in practice you do not. From the pybuild man page:

      · if  more  than  one  binary  package is build: add
         debian/python-foo.install files, or export
         PYBUILD_NAME=modulename  (modulename  will  be  used  to
         guess  binary package prefixes), or export PYBUILD_DEST‐
         DIR env. variables in debian/rules

I have done the first of these; the *.install files were going to be necessary 
anyway for the multiple binary packages and for qr(1).

> > + This package contains the Python 2 module; the command line tools are in
> > + the python3-qrcode package.
> 
> This is the biggest possible change to the package, and i'm not sure
> what to do about it.

Likewise and it's a FAQ in this porting process for which there is no really 
good answer; the only nice situation is where there is a separate package with 
binaries in addition to the modules.

> This means that someone who has installed python-qrcode for the purposes
> of using /usr/bin/qr might be surprised to find that interface disappear
> from their system.  I don't think there are any debian packages that
> have this dependency (the only rdepends are python-freeipa and keysync,
> which i think use the python modules and not /usr/bin/qr) but it's
> conceivable that some user had installed it this way and is now bummed.
> 
> Python3 porters: what is the right way forward for packages like this?
> 
> If we decide on a case-by-case basis, what is a reasonable rule of thumb
> to follow?
> 
> I'm tempted to say that for this package, with its few reverse
> dependencies, and no explicit use of /usr/bin/qr that i can see, we can
> just move the script from python-qrcode to python3-qrcode.

Agreed. That was my feeling in making the move in this case; I also looked at 
popcon of python-qrcode and decided that the number of people with pitchforks 
wouldn't be enormous (while recognising that there would indeed be some people 
who would have pitchforks...).
 
> Alternately, we could have some sort of alternatives system so they
> could both provide the script, but this seems like it would be overkill.

I'd say use of the alternatives system would only make sense if the local 
admin actually cared about which particular implementation was used.

There are two additional alternative options:

* make a "qr" package that depends on python3-qr and ships only the 
/usr/bin/qr [1]. This separate package doesn't actually solve the upgrade 
problem though... to provide an upgrade path, we'd be making a Replaces on the 
python-qr package and there would also need to be a link to cause apt to 
install the new package. That link would mean that installing a Python 2 
package caused Python 3 to be installed which is clearly wrong.

* both python-qr and python3-qr ship /usr/bin/qr but with some sort of dpkg-
divert dance in their maintainer scripts. (Give ownership of qr(1) to the 
python3 package and divert the other one to qr-python2 or similar.) This would 
work but also feels a bit fragile.

> I'm inclined to push changes like this (including Stuart's edits, and
> the move of /usr/bin/qr to python3-qrcode) to collab-maint and prepare
> an NMU once i've had the chance to test them.

I'm obviously comfortable with that :) I've got combinations of python-qrcode 
and python3-qrcode installed on a couple of different machines for my own use 
-- I wanted python3-qrcode because I was starting new projects in Python 3 and 
hitting at roadblocks when I found them. This was an itch being scratched.

cheers
Stuart

[1] Our ftp-masters have previously indicated that they'd like packages to 
ship more data than metadata which is fair enough, but at the same time the 
separate package would have been the "right" thing to be do for many of our 
python module packages that also happen to ship an executable. That we have 
not been using separate binary packages for the executable and the module 
means that users have had to care about implementation details (which version 
of python is qr(1) using?) and is precisely why we have this problem now. 

-- 
Stuart Prescott    http://www.nanonanonano.net/   stuart at nanonanonano.net
Debian Developer   http://www.debian.org/         stuart at debian.org
GPG fingerprint    90E2 D2C1 AD14 6A1B 7EBB 891D BBC1 7EBB 1396 F2F7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/py3porters-devel/attachments/20150521/fbb9531c/attachment.sig>

More information about the py3porters-devel mailing list