I have been using Debian on and off since the late 90s, including some time creating packages. It was wonderful to be able to install a recent, working version of pretty much anything you wanted for the vast majority of that time.<p>More recently, so many things I want to use are not available as a reasonably up-to-date package. Some examples are hugo and eclipse, where the versions provided are unusably ancient.<p><a href="https://lwn.net/Articles/842319/" rel="nofollow">https://lwn.net/Articles/842319/</a><p>Meanwhile, more and more software is actively hostile to packaging / distributions, and things seem to have devolved into grabbing things from random github repos, or various dedicated/language-specific package managers like npm, pip, brew, ...<p>It's definitely annoying, seems like a step backwards, and its not clear to me whether there's some better distro i could be using, whether some funding / volunteer time could help, or the world has just "moved on" (backwards...) from the idea of a linux distribution with reasonably stable, up-to-date packages that "just work" for basic infrastructure so you can spend your time developing on your own project, instead of with the tedium of fetching and installing software and managing version compatibility problems yourself.
Packaging for debian anything non trivial is damn too hard.<p>It took me 5 days to figure out how to package a complete web app with params, upgrades, post install transpiling, db init, etc.<p>And I haven't put that on a private repo yet, it's yet another annoying thing to do.<p>Nothing is well documented, doc is old and confusing, the tooling is archaic and wants to inflict pain (debconf anyone ?), the life cycle of a Deb package is atrocious to get right.<p>And you have to do all that in raw bash scripts. Not there are no alternatives, any scripting language is potentially usable, but the support is poor enough to deter you from them.<p>It's not I don't want to contribute to the ecosystem, but I won't invest the colossal effort and exercice in frustration to overcome the barrier to entry. My packages don't even need to go to the official repo, just let me do my things in peace.<p>Make a python lib that let you describe a package, hook on life cycle events to run code, with clear documented recipes et where to put what types of files, and let me run that to generate the Deb. Event web pack is easier to use for God sake.<p>I'm not even touching the process of packaging something to be included in debian repositories here, which is another beat entirely.<p>Quit the smug act, debian packagers. You don't know better.<p>You do know better on how to design a distro and protect the official repository. Great. I praised you for that for decades.<p>But you know nothing about making your users life easy. You just don't. So ask them, and fix that, or don't complain about no contrib. This is not news, we raised our voices for years.<p>I contribute all the time to Foss in code and doc, I donate in mass. We ARE willing to help. And we do.<p>It's not us. It's you.
As someone who's thinking about moving to Linux and has made many non-trivial contributions to Homebrew, the contribution process for Debian packages scares me. The official documentation seems to be more of a reference guide than a tutorial, and community blog posts always seem to start with "That other tool is outdated; here's the new way to do it," making it impossible to know which method is the right one.<p>IMO, what really needs some lovin' is the official onboarding process for new contributors.
I once built a whole deployment system out of packaging all our services as Debian packages and running them out of our own apt repo. Once we got it working, this was a really low maintenance system and bringing new servers online was stupid easy.<p>Since then Debian packages have become easier to create and maintain. And it’s a great skill if you ever need to create e.g. a custom-compiled version of nginx or some such. It’s a really well thought out system and I am surprised it isn’t more widely used. By contrast Docker seems to be more portable but way more of a pain in the ass.
If you sort by Installs this is kind of disturbing.<p>A lot of well known packages (Apache2 / OpenSSL / LibreOffice etc.) have no owner?<p><a href="https://wnpp.debian.net/?sort=installs%2Fdesc&page=1" rel="nofollow">https://wnpp.debian.net/?sort=installs%2Fdesc&page=1</a>
At page 3 there is apache2 with more than 300k installs. The maintainer stated no more interest[1]. This seems like low hanging fruit for a massive supply chain attack.<p>[1] <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910917" rel="nofollow">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910917</a>
When you click on random (or not so random) packages like Libreoffice, it brings you to [0] where help was requested in 2007 and as recent as oct 2020 offers for help are ignored. Not sure how this 'process' works?<p>[0] <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419523" rel="nofollow">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419523</a>
Sadly in recent years I've seen a number of neglected Debian packages picked up by people who just wanted to pad their resume and say "I'm a Debian maintainer!". This usually has ended badly with the new maintainer not caring about the userbase. They close all open bugs without having fixed anything, and break shit wholesale just so they can say it builds.<p>Please don't pick up a package just because you think it would be cool to be a maintainer. If you are not invested in the well-being of the userbase, you will get called out.
Isn't it worrisome that something like openssl is listed as having no owner? Wouldn't a sneaky patch in something as low-level and widely-used as that have devastating consequences?<p>Is there another Linux distro that gets multiple eyeballs on (core) package changes and proper security reviews that you folks would recommend for daily driver?
Linux Standard Base recommend rpm support.<p>But the rpm package need adoption and refers users to alien, but the alien package is orphaned.<p>hah, looking at wikpedia it seems LSB support have been dropped by Ubuntu and Debian in November 2015.
Anyone else disturbed by this? These packages have root access for millions of computers and thousands of Fortune 500 companies and no one is maintaining them?
This is an off topic question, but is Debian a good alternative to Gentoo? Over the last three years I'm assuming Gentoo is so low on resources that they are just removing packages left and right. Every few months my install is broken due to this.<p>The main reason I'm still with gentoo is inertia and I really like the tools and just the way things work. The problem really is the portage tree (basically the repo) which is become more and more bare as the years go on. For example, I miss eix whenever I use debian, apt-cache just isn't as useful. Also, having to use not systemd is a plus and a reason I won't use Arch. Any suggestions?