|Main Archive Page > Month Archives > debian-security archives|
First, thanks Michael and Arnaud for the work on zope2.12 Debian
On 02/05/2011 Arnaud Fontaine wrote:
> Once upon a time, zope2.X could be easily installed on Debian (until
> 2.10), and thanks to dzhandle, it was pretty easy and straightforward to
> use. Unfortunately it is not anymore since the upstream decided to move
> to a modularized approach (with ZTK) ratherthan having a monolithic
> tarball, which is a good thing, in most cases at least.
> Unfortunately, it has became a nightmare from a packager point of view,
> because each released version of Zope depends upon specific versions
> of these modules, which sometimes (often?) include backward-incompatible
> changes, thus leading to conflicting dependencies between each released
> Moreover, as of Zope 2.12, there are about 89 eggs pulled down as
> dependencies when using the regular build process and the number is
> growing because more and more duplicated code with ZTK is being moved
> out of Zope2.
> In addition, several Zope applications, like Plone, require a specific
> Zope version. Therefore, we also would like to be able to offer, at the
> same time, several major versions of Zope (2.12 and 2.13 for example),
> like we once did for Zope 2.9 and 2.10, and like we do for versions of
> We thought about two solutions to address these issues:
> 1/ Versionning each component of the ztk so we can install at the same
> time zope-foo 1.2.1 and zope-foo 1.3.0.
> 2/ Packaging inside a zope2.12 package all the requirements of zope2.12
> which are not the current mainstream ztk.
> Even if we don't really like it, the second solution seems the only
> viable solution because of the number of modules and the breakage in
> backward-compatibility. Not doing so would require versionned packages
> for the 89 eggs required by Zope 2.12, and the same for those required
> by Zope 2.13.
> The purpose of this email is actually to let the debian-release and
> debian-security teams know before finalizing the package, thus we can
> make sure that the package gets accepted and gets advices as well. We
> realize that's a big burden for those teams because of the duplicated
> modules, but we are willing to take care of that as much as possible.
Seems like neither Security-Team nor Release-Team responded to this
mail. I added ftpmasters to Cc in order to give them a chance to
If I got it right, all packaging-related issues have settled down, and
from a Debian pkg-zope team point of view, the zope2.12 packages are
ready to be uploaded.
Please be aware, that we as the Debian pkg-zope team are aware of the
drawbacks of a monolithic zope2.12 package (with all zope eggs
included), but we discussed this issue to death, and don't see another
solution. You can take a look at the meeting summary for further
We (the Debian pkg-zope Team) feel responsible to help with any
security- or license-issues that might arise with zope2 packages in the
future. We also keep a close watch on the development of zope2, and
switch the packages to depend on packaged zope eggs as soon as this
might be an option (i.e. the zope eggs upstream maintainers guarantee
So, the last showstopper before zope2.12 packages can be uplaoded, are
comments by Security-Team, Release-Team and FTPMasters whether the
solution we've choosen is ok for them for the time being. Please send us
your comments in case you've any.
On behalf of the Debian Zope2 packagers,
-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org Archive: http://lists.debian.org/20110602112440.GA4217@resivo.wgnet.de