
Pragmatic Debian packaging - kiyanwang
http://vincent.bernat.im/en/blog/2016-pragmatic-debian-packaging.html
======
dozzie
> [...] building Debian packages with the official tools can become
> straightforward if you bend some rules:

> 1\. No source package will be generated. Packages will be built directly
> from a checkout of a VCS repository.

> 2\. Additional dependencies can be downloaded during build. [...]

> 3\. The produced packages may bundle dependencies. This is likely to raise
> some concerns about security and long-term maintenance, but this is a common
> trade-off in many ecosystems, notably Java, Javascript and Go.

Point 3. is fine for site-built packages that don't go to mainstream.

Point 1. in the long run can result in some trouble, and one really shouldn't
do that for third-party code (unless it's mirrored in own repository).

Point 2.: please don't do that. It's a stupid, really stupid idea. This way
you defeat much of the robustness provided by packaging. You can't reproduce
the build and you can't reliably rebuild the package under network outage or
leftpad 2.0 farce. It's much better to have a script (makefile?) that
downloads all the sources off-line, and package that to a single source
package (debian/source/format "3.0 (native)").

But apart from these, it's a really good overview of modern Debian package
building, especially that it doesn't show how to _generate_ a package, but
build it from scratch.

