I've spoken with some maintainers at the Debian IRC channel irc://irc.debian.org#debian-mentors, asking for the exact same thing, and the general consensus was:
Solution #1:
Integrating dependencies in your package by copying their source files over as a single codebase is very frowned upon. It would defeat the purpose of a packaging system that handles dependencies, updates, versioning, etc.
Solution #3:
Downloading non-debian packages on-the-fly when installing a binary (.deb
) is a serious security risk, definitely a no-no. You wouldn't even be able to inspect the dependencies by extracting the deb
, because they are downloaded and installed at install time. It's an approach that completely bypass the repositories system. No concerned user would be happy with a package that, behind the scenes (and as root
, remember!), downloads additional untrusted software from untrusted sources. Yes, that would require fiddling with DEBIAN/postinst
(or preinst
) and issuing a wget
(or, in your case, pip install
), and that is the approach taken by Flash, Oracle Java, Steam and others. But that is proprietary, closed source software, so their security is none anyway.
Solution #1.5:
You didn't mention it, but you could integrate the dependencies only at build time, ie, in the source package (the .orig.tar.gz
, .debian.tar.gz
, .dsc
triad), by downloading from PyPi when creating the "binary" package (the .deb
). The instructions for the pip install
would go into debian/rules
(notice the lowercase debian
, as opposed to the binary package), and would be executed when you issue debuild
or dpkg-buildpackage
.
This is a middle-ground between #1 and #3. It mitigates (but not solve!) some of the issues of #3: at least you can inspect the final product, and the .deb
would not require internet access at install time. All the risks and burdens are transferred from final user to the package maintainer. But, has the same problems as #1, as it bypasses most of the packaging system infrastructure. Afterall, handling dependencies (versions, updates, requirements, conflicts) is why dpkg
/apt
was created in the first place! :)
Solution #2:
The One True Right Way™. You create debian packages for your dependencies, list them as requirements in your package, and ship all the .debs
or source packages.
From there, you have a number of options:
Submit the source packages, both your software and its dependencies, for inclusion to Debian. If accepted, they would be automatically available to all Debian users, including all derivatives like Ubuntu.
Upload the source packages to Launchpad, thus creating a PPA that any Ubuntu user (and its derivatives like Linux Mint) could easily add and install
Host your own debian repository in your website, that users from any Debian-based system could add to their /etc/apt/sources.list.d
and use the apt
infrastructure to download, install and keep updated, (like the above!)
Host the .deb
files for direct download and install. No apt
or automatic updates involved thought.
As for how to package your PyPi dependencies (and your python software too!), there are a number of tools and references that make the process easy:
stdeb, as you mentioned. Oldie and goodie.
Pybuild, a new, amazing tool from Debian that supersedes stdeb
.
And many useful references:
Need help? Check those out:
Best Answer
Before Ubuntu adds
python 3.5
to the official repositories you have two options to install it now :Check if someone has come with a PPA containing
python 3.5
so that you can install/remove it usingapt-get
or other package managerInstall from source
As fas as i can see there is no such PPA available till date so your only option is to install from source file.
You have said :
Perhaps you have not heard of
checkinstall
yet, it creates a package out of the files that are going to be saved on different places in your computer at the last step of compiling a package from source (sudo make install
). So you just need to replacesudo make install
withsudo checkinstall
and then you can remove the package you named using any package manager in the usual manner.Check
man checkinstall
to get more idea.Update:
A PPA is now available. Check this answer.