1 :date: 2011-08-20 20:00:00
2 :tags: neuroscience, software, packaging
4 .. _chap_neurosoftware_packaging:
6 What does it take to get some software packaged?
7 ================================================
9 We often get contacted by people who wrote some scientific software and
10 would like to see it being available from the NeuroDebian repository.
11 Most of these developers don't know what it actually means to *package*
12 software, how time-consuming the process is, and who needs to do what to
15 There is already a lot of information about *distribution packaging* on the
16 web, including "best-practices" documentation for upstream_-developers,
17 such as `Debian's upstream guide`_, and it would be pointless to repeat all
18 these bits here. Instead we will focus on a few core aspects that we found
19 to be the most ignored and misunderstood concepts that heavily influence
20 the speed and complexity of the *packaging process*.
22 .. _upstream: http://en.wikipedia.org/wiki/Upstream_(software_development)
23 .. _Debian's upstream guide: http://wiki.debian.org/UpstreamGuide
25 So what exactly is a *package*? The ultra-short summary: it is first and
26 foremost an executable description of how to build software from source and
27 install the resulting binaries, while ensuring compatibility and
28 interoperability with other parts of a particular system. Hence, although
29 Debian-based operating systems install packages containing *binaries*, the
30 main focus of the packaging process is on the **source package**. The
31 end-product of the packaging process is a source package that enables
32 **anybody** to produce binary packages in a *uniform* and *deterministic*
33 fashion, with an exhaustive description of its dependencies.
35 To understand how that is done any interested person **needs** to read a
36 fair bit of documentation, for example a `packaging tutorial`_, and the
37 `Debian policy`_ -- the ultimate guidelines for proper Debian packages.
38 But albeit being an interesting read for anyone, it is actually the
39 *package maintainer*'s job to get all this done right. However, there are a
40 few key aspects about packaging that any developer should know, as they
41 will make the difference between getting a package done in a few hours, or
42 only after weeks, months, or years of tedious work. These are:
44 * A reliable versioning scheme
45 * Exhaustive documentation of involved licenses
46 * Clear separation of 3rd-party code
49 .. instead of saying that "packaging is only for us, Debian gurus",
50 .. here would be a good point to say that "having those requirements
51 .. fullfilled packaging becomes and easy task, which could be tackled
52 .. having read the tutorial and then seeking the
53 .. mentorship/sponsorship".
55 Have a deterministic version!
56 -----------------------------
58 Software need a version, packages need a version. The version is used to
59 determine whether an update is available, whether a particular package can
60 be used to satisfy a versioned dependency of another package, to associate
61 bug reports with source code, and, of course, to tell users what version
62 of a software they are running. Surprisingly, there is a lot of scientific
63 software out there that doesn't have a version, or pretends to have one,
64 but the actual source code changes without a corresponding change in the
65 version. This is **wrong**. If you want to have your software packaged, have
66 a reliable version scheme:
68 .. altogether a bit of a mix -- we don't increment any version while
69 .. working on the code -- we increment whenever making it publicly
70 .. available outside of VCS
72 .. also, strictly speaking, "sources" contain not only the 'code' which
73 .. we need to version -- docs/images/data/etc; thus I have replaced 'code'
74 .. on some occurrences
76 * *Increment* the version whenever you change publicly available
77 release or tarball of your project (even for tiny changes).
78 * Put the version into the filename of your source or binary download.
79 * And/or use a `version control system`_ (VCS) that does that versioning for
82 .. VCS doesn't do versioning per se -- it does changes tracking
83 .. possibly with unique identified which could be treated as a version
85 .. _version control system: http://en.wikipedia.org/wiki/Comparison_of_revision_control_software
87 If you don't have a deterministic version, the package maintainer
88 needs to come up with one, possibly complementing to the original
89 version which remains stale while released material changes.
90 Such custom version could be based on the time-stamp of a download, or the last
91 modification time of any file in the source distribution. But whatever the
92 maintainer will come up with, it will take time, and it will be different
93 from what you do. This will make packaging more complex, and it will
97 Be conscious about all licenses!
98 --------------------------------
100 Licenses are important. They determine whether a 3rd-party, such as a
101 Debian, is legally allowed to redistribute your software. They determine
102 whether a package maintainer is allowed to modify software for improved
103 system integration or bug fixing. They also have an impact on people's
104 motivation to contribute to a project. For example, many people out there
105 would rather not invest their time in software with restrictive licenses.
107 Be aware that the collection of *all* licenses in your source code form the
108 legal terms of your software. We often see "open-source" software that is "free
109 to use", but depends on, or includes source code that "may not be
110 redistributed". This is probably **wrong**. Moreover, we encountered quite a
111 few projects that hadn't picked any license at all. If you intend other people
112 to use your tools this is **wrong** too, as no license typically means no
113 permissions at all -- not even to download or to use.
115 The package maintainer needs to sort all these things out, needs to
116 make sure that redistribution doesn't impose a legal threat to anyone
117 (including repository mirror operators), and needs to make sure that people
118 expecting free and open-source software only get free and open-source
121 If you want to facilitate the packaging process: Make sure that you are
122 aware of all licenses covering the source code and other materials
123 (such as documentation and images) in your software. Make sure
124 to document them properly. Make sure that the licenses
125 covering the source code are compatible to each other (e.g. you cannot
126 release under the GPL_ if the license of some other part of your code says
127 "must not be used on Thursdays"). The easiest way to avoid unnecessary
128 complications is to use a `standard license`_ (such as BSD, or GPL) that
129 are known and have been evaluated by legal experts regarding their
130 implications and their compatibility with each other. Beware that
131 standard licenses created to cover programs source code are not always
132 appropriate for content (e.g. images and documentation) or data (which
133 might not even be copyrightable in some jurisdictions such as USA). You
134 can find some of popular licenses for content and data on
135 `Open Knowledge Definition (OKD)
136 <http://www.opendefinition.org/licenses>`_ website. For any license, check if your legal
137 terms comply with the `open-source definition`_ or the `Debian free software
138 guidelines`_ (that are the basis of this definition).
140 .. _GPL: http://www.gnu.org/copyleft/gpl.html
141 .. _open-source definition: http://www.opensource.org/docs/osd
142 .. _Debian free software guidelines: http://www.debian.org/social_contract#guidelines
145 Allow for modularity!
146 ---------------------
148 Usually, software authors already have means to build their code for Debian
149 or Ubuntu systems before contacting a potential packager. However, quite
150 often these procedures need to be adjusted (and sometimes even abandoned)
151 for a distribution package. A prominent reason is the inclusion of
152 3rd-party source code. Virtually all software is built on top of some other
153 software -- may it be a GUI toolkit or a numerical library. Occasionally,
154 it makes sense to include the more exotic dependencies into a source
155 distribution of some software, mainly to make building and installing
156 easier for people on less fortunate platforms.
158 However, for a distribution package such setup is typically not acceptable.
159 An operating system like Debian is a modular system were duplication needs
160 to be avoided. There should only be a single copy of a particular library
161 or tool in the distribution. All packages that require a piece of 3rd-party
162 software need to declare a dependency on the corresponding package and
163 should not ship their own copy. This has the advantage that bugs in a
164 software can be fixed in a single place and all dependent software
165 automatically benefits from this fix, without further human intervention.
166 Only a modular design like this makes it possible to successfully maintain
167 an integrated system of tens of thousands software packages with a
168 reasonable amount of manpower.
170 So if your source distribution contains 3rd-party software, clearly
171 identify its origin and version (the license as well, of course). This
172 informs the packager which dependencies need to be declared, or potentially
173 which other software still needs to be packaged separately, in order to
174 serve as a dependency.
176 As a consequence of the dependency system, you should not modify 3rd-party
177 software. If you, for example, take the source of a library and modify it a
178 bit to make it easier for you to do a certain task, there is suddenly the
179 need for having two almost identical libraries in the operating system. The
180 package for your software cannot use the system package for this library,
181 because it is modified. Instead of keep a modified version: if you need to
182 fix bugs in 3rd-party software, make sure to forward the fixes to the
183 original developers. If you need to adapt its behavior, try to do it in a
184 way that is modular, keeping the adaptor separate from the 3rd-party code.
185 This will make it much easier for you to track future developments of this
186 code, as well as help the packager integrate your software into the
189 Also, you will significantly facilitate the packaging process if your
190 build-system allows to optionally build and link against system libraries
191 instead of the convenience copies that may be included in your source code.
192 Keep in mind that anything that is *required* for packaging software for
193 Debian needs to be added or modified by the package maintainer. All
194 modifications can potentially change the behavior of your software and may
195 confuse users and/or result in unnecessary support requests that need to be
196 dealt with. Be assured that it is in the very interest of the package
197 maintainer to keep the differences minimal. If you keep modularity aspects
198 in mind while developing you can massively facilitate a packaging effort.
201 Be prepared for feedback!
202 -------------------------
204 The package maintainer might send you a few patches during the initial
205 packaging that either fix bugs on the Debian platform or that were added to
206 gain compliance with the Debian policy. Be prepared to evaluate these
207 patches and merge them into your code base or discuss necessary
208 modifications. The package maintainer needs to keep track of all
209 modifications done to your software and needs to refresh them for every new
210 release that is made. If you make it easy for the maintainer to do this
211 work, for example quickly merging modifications, by exposing a version
212 control system to track modifications, or at least a reliable communication
213 channel that informs the maintainer about the fate of the patches, you will
214 help to streamline long-term package maintenance and contribute to a
215 reliable package. All this will help disseminating your software in an
216 extremely convenient form to a very large audience.
projects / neurodebian.git / blob