please tag and version this project

[aviau]

Hello,

Can you please tag and version this project?

I am the Debian Maintainer for raft-boltdb and versioning would help Debian keep up with development.

[sean-]

Hello Alexandre, thanks for taking an interest in packaging this library for Debian. Is there a reason this software needs to be included directly into Debian as a package? raft-boltdb does not include executable binaries and if an external package is using these bits without vendoring them, that is an issue with the dependent software. If there is a different use case that has not been considered, please reply back. Thank you again for the interest in increasing the distribution this library!

[aviau]

Looks like you answered the same answer on all packages I opened a bug for, so I'll answer everywhere but le me know if you want to have the conversation at one place.

In Debian, we build everything from the archive. Our builders cannot access the internet so we would be unable to build software that requires raft-boltdb if they pulled it from the internet at build time.

Vendoring is a bad practice in software development in general. For the same reason that we don't link everything statically in Linux distribution, Debian does not accept vendoring dependencies. I am the maintainer for InfluxDB and it depends on raft-boltdb. For Debian to ship InfluxDB, we must package all dependencies. (raft-boltdb is already in Debian at this moment).

In this particular case, InfluxDB does not vendor raft in its source tarball, but even if they did, we would strip it out and package raft independently. I'm sure you understand why this is important, we don't want to update 200 packages when there is a security issue in only one package. Code duplication is best avoided in general.