File: README.source

package info (click to toggle)
zope2.13 2.13.22-1
  • links: PTS, VCS
  • area: main
  • in suites: jessie, jessie-kfreebsd
  • size: 38,644 kB
  • ctags: 38,805
  • sloc: python: 196,395; xml: 90,515; ansic: 24,121; sh: 916; makefile: 333; perl: 37
file content (42 lines) | stat: -rw-r--r-- 2,258 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
Debian packages of the Zope2 application server
-----------------------------------------------

IN A NUTSHELL: Zope2 Debian packages include copies of many dependencies, of
               which some even exist as seperate Debian packages. This is
               especially important to know for the Security Team. Read on
               to understand why this situation is necessary.

 Since version 2.12, the Zope2 application server is no longer released as
monolithic tarball. Instead, a modularized approach is taken. Many Zope
dependencies (so-called 'eggs') are developed and released independently
from each other. The Zope2 upstream authors suggest to use a build system
called 'buildout'. In a nutshell, buildout takes a list of required python
and Zope dependencies with the exact version number, fetches all these eggs
from the Python Package Index (pypi.python.org), and merges them into a
isolated python environment.

 This build system has major drawbacks. The most important one for Debian is,
that it is incompatible to the FHS, doesn't work for distribution packages,
and ignores integration in a system at all. Instead it creates a jailed python
environment for every single application, making software upgrades and security
support a huge mess.

 Even worse, most Zope2 dependencies don't care about backwards compatibility
at all. Often, even minor versions include incompatible API changes. This is
the main reason, why it's impossible to package Zope eggs modularized, and let
the Zope2 application server depend on it.

 This leads to the ugly but necessary fact, that the Zope2 package sources in
Debian are a merge of the Zope2 application server and all Zope dependencies.
The orig.tar.gz is created by the 'get-orig-source' target of the debian/rules
build script.

 We (the Debian Zope2 Maintainers) are aware that this situation has issues.
The biggest problem is code duplication: The source code of already packaged
Zope eggs is duplicated in the Zope2 source packages.

 If the situation ever improves (e.g. Zope eggs upstream start to care about
backwards compability), the Zope2 packages should be updated to use the Debian
packaged Zope dependencies.

 -- Jonas Meurer <mejo@debian.org>  Thu, 23 Jun 2011 22:19:36 +0200