> [...] building Debian packages with the official tools can become straightforward if you bend some rules:
> 1. No source package will be generated. Packages will be built directly from a checkout of a VCS repository.
> 2. Additional dependencies can be downloaded during build. [...]
> 3. The produced packages may bundle dependencies. This is likely to raise some concerns about security and long-term maintenance, but this is a common trade-off in many ecosystems, notably Java, Javascript and Go.
Point 3. is fine for site-built packages that don't go to mainstream.
Point 1. in the long run can result in some trouble, and one really shouldn't
do that for third-party code (unless it's mirrored in own repository).
Point 2.: please don't do that. It's a stupid, really stupid idea. This way
you defeat much of the robustness provided by packaging. You can't reproduce
the build and you can't reliably rebuild the package under network outage or
leftpad 2.0 farce. It's much better to have a script (makefile?) that
downloads all the sources off-line, and package that to a single source
package (debian/source/format "3.0 (native)").
But apart from these, it's a really good overview of modern Debian package
building, especially that it doesn't show how to generate a package, but
build it from scratch.
> 1. No source package will be generated. Packages will be built directly from a checkout of a VCS repository.
> 2. Additional dependencies can be downloaded during build. [...]
> 3. The produced packages may bundle dependencies. This is likely to raise some concerns about security and long-term maintenance, but this is a common trade-off in many ecosystems, notably Java, Javascript and Go.
Point 3. is fine for site-built packages that don't go to mainstream.
Point 1. in the long run can result in some trouble, and one really shouldn't do that for third-party code (unless it's mirrored in own repository).
Point 2.: please don't do that. It's a stupid, really stupid idea. This way you defeat much of the robustness provided by packaging. You can't reproduce the build and you can't reliably rebuild the package under network outage or leftpad 2.0 farce. It's much better to have a script (makefile?) that downloads all the sources off-line, and package that to a single source package (debian/source/format "3.0 (native)").
But apart from these, it's a really good overview of modern Debian package building, especially that it doesn't show how to generate a package, but build it from scratch.