Hi, last month, Wolfgang Borgert wondered [1] if we should decide to enable source-only uploads. The thread was lead quite emotionally and turned to be a flame war. Personally, I stopped following it when [DD X] wrote: "Be very wary of listening to [DD Y]. His comments are frequently disconnected from reality.". I guess that others did similarly.
But since I'm interested in this topic, I now read over it and try to summarize the main reasons for or against source only uploads: Pro: * Better quality and consistency * Autobuilders (i386) are inexpensive * We could have "Architecture: all" autobuilds * Prevention of trojans in binaries * Prevention of statically linked-in stuff we don't have the source from in the archive * The current situation keeps DDs from using experimental (which in turn is suggested by the RM) because experimental parts disqualify an installation as a build environment * Currently, the developer's development environment potentially exposes information about him (name etc. in generated files) * Currently, autobuilders don't find all FTBFS bugs (especially in "Architecture: i386" and "Architecture: all" packages) * DD bandwidth could be saved by source only uploads * A full build log could be available * Currently, the mostly used architectures (i386 and powerpc) have the least quality because the packages built in individual developer's environments are more likely to be broken or at least influenced Con: * Autobuilders are "artificial" and don't reflect common Debian installations * Autobuilders are regarded as a single point of failure: breaking into them does more harm than breaking into all the developer's machines * Developer's machines accommodate "real life systems", so they can even detect more bugs since they expose the build process to more configuration possibilities * There are not enough autobuilder resources available * Source only uploads (SOU) would encourage carelessness * "Architecture: all" packages won't get built with SOU * Currently, we have a variety of build environments: various DD's installations, plus "artificial" buildd environments. This covers more of the testing space, i.e. will discover more bugs * DDs shouldn't upload packages built in their experimental etc. extended environments, but instead they should upload pbuilder-built versions * Would require extra amount of work for porters (I apologize to all of you who find this redundant.) Please don't reply to this mail publicly by continuing or restarting the old debate. (But I invite you to just add further _basic_ reasons I forgot to mention here.) Instead, I volunteer to host a small, unofficial and non-anonymous survey to get an impression of the community's opinion. If you are a Debian Developer, please send me a private mail with "Source only uploads: Yes" or "Source only uploads: No" in the subject. At the beginning of December, I will post the results, and if there is any doubt, I will disclose the list of names and votes. Thanks. bye, Roland [1] http://lists.debian.org/debian-devel/2003/debian-devel-200310/msg01226.html
signature.asc
Description: This is a digitally signed message part
