[copying debian-ruby]
On Wed, 18 Dec 2019 22:55:16 +0000 Simon McVittie <s...@debian.org> wrote:
The technical committee has been asked to consider what level of binary
package granularity is appropriate for the src:ruby-task-list package,
and for similar packages that provide library code for more than one
language in the same upstream source release. This is advice under
ยง6.1(5) of the Debian constitution, and is not intended to overrule
any developers' decisions.
Thanks for the detailed response. I wonder if this could be documented
in debian-policy or developers reference or some other suitable place.
> 3. For the specific case of src:ruby-task-list, which provides both a
Ruby
> library and a JavaScript library, we suggest:
>
> * shipping both Ruby and JavaScript libraries in a single binary package
> * removing the dependency on the Ruby interpreter, unless there is a
> reason why it is required
> * asking the maintainers of the Ruby libraries that ruby-task-list
> recursively depends on (such as ruby-rack) to remove *their*
dependencies
> on the Ruby interpreter, unless there is a reason why it is required
Just confirming, this would mean ruby-rack (371 kB), ruby-activesupport
(2,082 kB), ruby-html-pipeline (90.1 kB) getting installed even when
only javascript library is required for an application. Since this will
not be pulling an interpreter so waste of space and bandwidth is ignored
in this case as it is not opening an attack vector (unlike the case when
unrelated interpreter is installed). At least 7 MB packages (combined
size of those mentioned recursive dependencies) will be installed when
some one just wants to install a 8KB library.
And ruby-activesupport will pull ruby-concurrent (886 kB), ruby-i18n
(38.5 kB), ruby-minitest (150 kB), ruby-tzinfo (202 kB). So I will need
to ask maintainers of each of these packages (all of them under ruby
team) also to remove their dependency on ruby.
ruby-tzinfo will pull ruby-thread-safe (26.4 kB) and tzdata
(ruby-thread-safe will pull ruby-atomic (56.3 kB)).
ruby-html-pipeline will pull ruby-nokogiri (446 kB), ruby-pkg-config
(8,464 B) and ruby-nokogiri has non-ruby dependencies too libxml2 (687
kB), libxslt1.1 (237 kB) and recursively more, at least 32.4 MB of
libicu63 (which can be ignored as nodejs also depend on it).
I think we will need to update gem2deb to not add a dependency on ruby
if it is a library only package (ie, no executables).
