On 12/15/2016 06:11 AM, Ben Finney wrote: > Control: tags -1 + moreinfo > > On Thu, 2016-12-15 00:28 +0100, Loic Dachary <l...@dachary.org> wrote: > >> The python-coverage package recommends libjs-jquery-hotkeys and does not >> install the jquery.hotkeys.js. > > I'm not sure what you mean by “does not install”; the “Recommends” > dependency will install the library at the time this package is > installed. > >> However the file found in the coverage.py >> sources is different from the file found in libjs-jquery-hotkeys: > > This is often the case for libraries. Which version is later? > >> In order to avoid unintended behavior or regressions, the >> jquery.hotkeys.js file provided in the coverage.py sources must be >> installed. > > No, that's against Debian policy for security management. The library > should not be bundled, but instead should be installed once, where a > security upgrade will benefit all applications using that library. > >> Although it is desirable to avoid file duplication > > That is not the primary reason; rather, the primary reason is to prevent > divergent versions of code installed by different packages. > >> this can only be done >> if the files are indeed identical or if they are provided by an upstream >> that maintains an API of some kind. > > Agreed, the API should be reliable :-)
In the case of this javascript dependency, there is no reliable API, no backward compatibility and no releases. Do you acknowledge that packaging coverage.py with dependencies that are different from those provided in the upstream source may introduce bugs ? Cheers -- Loïc Dachary, Artisan Logiciel Libre
