hngopher.com

       [HN Gopher] Debian Packages That Need Lovin'
       ___________________________________________________________________
        
       Debian Packages That Need Lovin'
        
       Author : spyc
       Score  : 56 points
       Date   : 2021-02-20 21:05 UTC (1 hours ago)
        
 (HTM) web link (wnpp.debian.net)
 (TXT) w3m dump (wnpp.debian.net)
        
       | pvsnp wrote:
       | Aren't canonical and other distributions upstreaming changes to
       | Debian?
        
       | IgorPartola wrote:
       | I once built a whole deployment system out of packaging all our
       | services as Debian packages and running them out of our own apt
       | repo. Once we got it working, this was a really low maintenance
       | system and bringing new servers online was stupid easy.
       | 
       | Since then Debian packages have become easier to create and
       | maintain. And it's a great skill if you ever need to create e.g.
       | a custom-compiled version of nginx or some such. It's a really
       | well thought out system and I am surprised it isn't more widely
       | used. By contrast Docker seems to be more portable but way more
       | of a pain in the ass.
        
       | kenniskrag wrote:
       | why is eclipse so many version behind the current version? I do
       | not think it would hurt to update a little faster.
        
       | tacostakohashi wrote:
       | I have been using Debian on and off since the late 90s, including
       | some time creating packages. It was wonderful to be able to
       | install a recent, working version of pretty much anything you
       | wanted for the vast majority of that time.
       | 
       | More recently, so many things I want to use are not available as
       | a reasonably up-to-date package. Some examples are hugo and
       | eclipse, where the versions provided are unusably ancient.
       | 
       | https://lwn.net/Articles/842319/
       | 
       | Meanwhile, more and more software is actively hostile to
       | packaging / distributions, and things seem to have devolved into
       | grabbing things from random github repos, or various
       | dedicated/language-specific package managers like npm, pip, brew,
       | ...
       | 
       | It's definitely annoying, seems like a step backwards, and its
       | not clear to me whether there's some better distro i could be
       | using, whether some funding / volunteer time could help, or the
       | world has just "moved on" (backwards...) from the idea of a linux
       | distribution with reasonably stable, up-to-date packages that
       | "just work" for basic infrastructure so you can spend your time
       | developing on your own project, instead of with the tedium of
       | fetching and installing software and managing version
       | compatibility problems yourself.
        
         | markstos wrote:
         | After using Ubuntu for over a decade, I switched to Arch Linux.
         | 
         | If you exclude the duplicated architecture packages in the
         | Ubuntu repos and include the community-maintained packages,
         | Arch has more packages new packages seem to commonly available
         | within 24 hours of an upstream release.
         | 
         | For example, I use some utilities based on "rofi". A search for
         | Ubuntu packages containing "rofi-" contains just no results,
         | but a search for Arch packages returns about 50 results.
         | 
         | https://packages.ubuntu.com/search?suite=groovy&section=all&...
         | 
         | https://aur.archlinux.org/packages/?O=0&SeB=n&K=rofi-&outdat...
         | 
         | AUR packages look easier to maintain than PPAs, so I'm more
         | likely to get get involved with packaging something on Arch
         | then I was on Ubuntu.
        
           | Quekid5 wrote:
           | > After using Ubuntu for over a decade, I switched to Arch
           | Linux.
           | 
           | Hah! Very similar experience; see my sibling reply :)
        
         | Quekid5 wrote:
         | I think the future is probably something more NixOS-like. Now,
         | personally, I've tried it and found it a bit wanting UX-wise
         | (and for really niche stuff), but for providing cutting edge
         | _and_ the ability to roll back safely I don 't think it can be
         | beaten. If you have databases, etc. that needs to be rolled
         | back things get more complicated, ofc.
         | 
         | Right now, I'm running Arch Linux with a small smattering of
         | self-compiled stuff. Arch seems to actually be pretty stable,
         | unless you're using their 'testing' repos... and it's very
         | close to bleeding edge. Their secret, I think, is staying as-
         | close-as-possible to upstream -- the trouble usually starts
         | when distros start to add large patches. This has been a huge
         | issue for me with Debian/Ubuntu.
        
       | gigel82 wrote:
       | Isn't it worrisome that something like openssl is listed as
       | having no owner? Wouldn't a sneaky patch in something as low-
       | level and widely-used as that have devastating consequences?
       | 
       | Is there another Linux distro that gets multiple eyeballs on
       | (core) package changes and proper security reviews that you folks
       | would recommend for daily driver?
        
       | symlinkk wrote:
       | Anyone else disturbed by this? These packages have root access
       | for millions of computers and thousands of Fortune 500 companies
       | and no one is maintaining them?
        
         | ISL wrote:
         | Seems like those Fortune 500 companies might think about making
         | a donation or two?
        
         | markstos wrote:
         | If you aren't volunteering, don't be surprised that other
         | people aren't either.
        
           | edu-ap wrote:
           | Asuming that only self-funded individuals can contribute in
           | their spare time, but companies can dedicate staff too.
        
       | janvdberg wrote:
       | If you sort by Installs this is kind of disturbing.
       | 
       | A lot of well known packages (Apache2 / OpenSSL / LibreOffice
       | etc.) have no owner?
       | 
       | https://wnpp.debian.net/?sort=installs%2Fdesc&page=1
        
         | amarshall wrote:
         | I think packages listed as "RFH" aren't unmaintained really,
         | just requesting for help maintaining it. Clicking-through on
         | e.g. grub2 shows a mailing list thread requesting for help
         | from...2004. grub2 has certainly received updates in Debian
         | since then.
        
       | jrwr wrote:
       | holy shit, order by installs, Apache and sudo have no maintainers
        
         | kwk1 wrote:
         | Re: sudo, not exactly: https://lists.debian.org/debian-
         | devel/2021/02/msg00234.html
        
         | pengaru wrote:
         | Neither of those are listed as O(rphaned), they're RFA/RFH.
        
         | soneil wrote:
         | Apache makes sense - it's a bit of a mammoth with complex
         | packaging (as different components arrive in different
         | packages). A cruise through the relevant list thread shows he's
         | looking for a gradual handover, soliciting help, but being
         | suitably picky about who takes over (eg, eagerness isn't the
         | only job requirement).
         | 
         | Do click on the package titles to go through to the relevant
         | thread. For most the packages you'd be worried about, what
         | you'll see is either a well-reasoned handover of
         | responsibilities, or a simple call for help.
         | 
         | (Or just look at the 'type' column - RFH is Request for Help,
         | RFA is Request for Adoption. Important or complicated packages
         | looking for more team members isn't a panic.)
        
       ___________________________________________________________________
       (page generated 2021-02-20 23:00 UTC)