Assuming no one else is already working on your prospective package, you must
then submit a bug report (<xref linkend="submit-bug"/>) against the
pseudo-package <systemitem role="package">wnpp</systemitem> describing your
-plan to create a new package, including, but not limiting yourself to, a
-description of the package, the license of the prospective package, and the
+plan to create a new package, including, but not limiting yourself to, the
+description of the package (so that others can review it),
+the license of the prospective package, and the
current URL where it can be downloaded from.
</para>
<para>
</listitem>
</itemizedlist>
<para>
-Please see <ulink url="http://&ftp-master-host;/REJECT-FAQ.html"></ulink>
+Please see <ulink url="https://&ftp-master-host;/REJECT-FAQ.html"></ulink>
for common rejection reasons for a new package.
</para>
</section>
<para>
For the native packages, the source package includes a Debian source control
file (<filename>.dsc</filename>) and the source tarball
-(<filename>.tar.{gz,bz2,lzma}</filename>). A source package of a non-native package
+(<filename>.tar.{gz,bz2,xz}</filename>). A source package of a non-native package
includes a Debian source control file, the original source tarball
-(<filename>.orig.tar.{gz,bz2,lzma}</filename>) and the Debian changes
+(<filename>.orig.tar.{gz,bz2,xz}</filename>) and the Debian changes
(<filename>.diff.gz</filename> for the source format “1.0” or
-<filename>.debian.tar.{gz,bz2,lzma}</filename> for the source format “3.0 (quilt)”).
+<filename>.debian.tar.{gz,bz2,xz}</filename> for the source format “3.0 (quilt)”).
</para>
<para>
With source format “1.0”, whether a package is native or not was determined
</para>
<para>
Please notice that, in non-native packages, permissions on files that are not
-present in the <filename>*.orig.tar.{gz,bz2,lzma}</filename> will not be preserved, as diff does not store file
+present in the <filename>*.orig.tar.{gz,bz2,xz}</filename> will not be preserved, as diff does not store file
permissions in the patch. However when using source format “3.0 (quilt)”,
permissions of files inside the <filename>debian</filename> directory are
preserved since they are stored in a tar archive.
<literal>unstable</literal>.
</para>
<para>
-Actually, there are two other possible distributions: <literal>stable-security</literal>
-and <literal>testing-security</literal>, but read
-<xref linkend="bug-security"/> for more information on those.
+Actually, there are other possible distributions:
+<replaceable>codename</replaceable><literal>-security</literal>,
+but read <xref linkend="bug-security"/> for more information on those.
</para>
<para>
It is not possible to upload a package into several distributions at the same
</para>
<para>
To ensure that your upload will be accepted, you should discuss the changes
-with the stable release team before you upload. For that, send a mail to
-the &email-debian-release; mailing list, including the patch you want to
+with the stable release team before you upload. For that, file a bug against
+the <systemitem role="package">release.debian.org</systemitem> pseudo-package
+using <command>reportbug</command>, including the patch you want to
apply to the package version currently in <literal>stable</literal>. Always
be verbose and detailed in your changelog entries for uploads to the
<literal>stable</literal> distribution.
<para>
An upload to the delayed directory keeps the package in
-<ulink url="http://ftp-master.debian.org/deferred.html">the deferred uploads queue</ulink>.
+<ulink url="https://ftp-master.debian.org/deferred.html">the deferred uploads queue</ulink>.
When the specified waiting time is over, the package is moved into
the regular incoming directory for processing.
This is done through automatic uploading to
<literal>&ftp-upload-host;</literal> in upload-directory
-<literal>DELAYED/[012345678]-day</literal>. 0-day is uploaded
+<literal>DELAYED/<replaceable>X</replaceable>-day</literal>
+(<replaceable>X</replaceable> between 0 and 15). 0-day is uploaded
multiple times per day to <literal>&ftp-upload-host;</literal>.
</para>
<para>
<title>Security uploads</title>
<para>
Do <emphasis role="strong">NOT</emphasis> upload a package to the security
-upload queue (<literal>oldstable-security</literal>, <literal>stable-security</literal>,
-etc.) without prior authorization from the security team. If the
+upload queue (on <literal>security-master.debian.org</literal>)
+without prior authorization from the security team. If the
package does not exactly meet the team's requirements, it will cause many
problems and delays in dealing with the unwanted upload. For details, please
see <xref linkend="bug-security"/>.
<para>
The Debian archive maintainers are responsible for handling package uploads.
For the most part, uploads are automatically handled on a daily basis by the
-archive maintenance tools, <command>katie</command>. Specifically, updates to
-existing packages to the <literal>unstable</literal> distribution are handled
-automatically. In other cases, notably new packages, placing the uploaded
-package into the distribution is handled manually. When uploads are handled
-manually, the change to the archive may take up to a month to occur. Please
+archive maintenance tools, <command>dak process-upload</command>. Specifically,
+updates to existing packages to the <literal>unstable</literal> distribution are
+handled automatically. In other cases, notably new packages, placing the
+uploaded package into the distribution is handled manually. When uploads are
+handled manually, the change to the archive may take some time to occur. Please
be patient.
</para>
<para>
url="&url-bts;">Debian bug tracking system (BTS)</ulink> for
your packages. The BTS contains all the open bugs against your packages. You
can check them by browsing this page:
-<literal>http://&bugs-host;/<replaceable>yourlogin</replaceable>@debian.org</literal>.
+<literal>https://&bugs-host;/<replaceable>yourlogin</replaceable>@debian.org</literal>.
</para>
<para>
Maintainers interact with the BTS via email addresses at
<para>
When you become aware of a security-related bug in a Debian package, whether or
not you are the maintainer, collect pertinent information about the problem,
-and promptly contact the security team, preferedly by filing a ticket in
-their Request Tracker.
-See <ulink url="http://wiki.debian.org/rt.debian.org#SecurityTeam"></ulink>.
-Alternatively you may email &email-security-team;.
+and promptly contact the security team by emailing &email-security-team;. If
+desired, email can be encrypted with the Debian Security Contact key, see
+<ulink url="https://www.debian.org/security/faq#contact"/> for details.
<emphasis role="strong">DO NOT UPLOAD</emphasis> any packages for
<literal>stable</literal> without contacting the team. Useful information
includes, for example:
<title>The Security Tracker</title>
<para>
The security team maintains a central database, the
-<ulink url="http://security-tracker.debian.org/">Debian Security Tracker</ulink>.
+<ulink url="https://security-tracker.debian.org/">Debian Security Tracker</ulink>.
This contains all public information that is known about security issues:
which packages and versions are affected or fixed, and thus whether stable,
testing and/or unstable are vulnerable. Information that is still confidential
</para>
<para>
The Security Team has a PGP-key to enable encrypted communication about
-sensitive issues. See the <ulink url="http://www.debian.org/security/faq#contact">Security Team FAQ</ulink> for details.
+sensitive issues. See the <ulink url="https://www.debian.org/security/faq#contact">Security Team FAQ</ulink> for details.
</para>
</section>
<listitem>
<para>
References to upstream advisories, <ulink
-url="http://cve.mitre.org">CVE</ulink> identifiers, and any other information
+url="https://cve.mitre.org">CVE</ulink> identifiers, and any other information
useful in cross-referencing the vulnerability
</para>
</listitem>
<listitem>
<para>
<emphasis role="strong">Target the right distribution</emphasis>
-in your <filename>debian/changelog</filename>.
-For <literal>stable</literal> this is <literal>stable-security</literal> and
-for <literal>testing</literal> this is <literal>testing-security</literal>, and for the previous
-stable release, this is <literal>oldstable-security</literal>. Do not target
-<replaceable>distribution</replaceable><literal>-proposed-updates</literal> or
+in your <filename>debian/changelog</filename>:
+<replaceable>codename</replaceable><literal>-security</literal>
+(e.g. <literal>wheezy-security</literal>).
+Do not target <replaceable>distribution</replaceable><literal>-proposed-updates</literal> or
<literal>stable</literal>!
</para>
</listitem>
--compare-versions</literal>. Be careful not to re-use a version number that
you have already used for a previous upload, or one that conflicts with a
binNMU. The convention is to append
-<literal>+</literal><replaceable>codename</replaceable><literal>1</literal>, e.g.
-<literal>1:2.4.3-4+lenny1</literal>, of course increasing 1 for any subsequent
+<literal>+deb</literal><replaceable>X</replaceable><literal>u1</literal> (where
+<replaceable>X</replaceable> is the major release number), e.g.
+<literal>1:2.4.3-4+deb7u1</literal>, of course increasing 1 for any subsequent
uploads.
</para>
</listitem>
<listitem>
<para>
Be sure to use the <emphasis role="strong">exact same
-<filename>*.orig.tar.{gz,bz2,lzma}</filename></emphasis> as used in the
+<filename>*.orig.tar.{gz,bz2,xz}</filename></emphasis> as used in the
normal archive, otherwise it is not possible to move the security fix into the
main archives later.
</para>
<title>Uploading the fixed package</title>
<para>
Do <emphasis role="strong">NOT</emphasis> upload a package to the security
-upload queue (<literal>oldstable-security</literal>, <literal>stable-security</literal>,
-etc.) without prior authorization from the security team. If the
+upload queue (on <literal>security-master.debian.org</literal>)
+without prior authorization from the security team. If the
package does not exactly meet the team's requirements, it will cause many
problems and delays in dealing with the unwanted upload.
</para>
</section>
<section id="archive-manip">
-<title>Moving, removing, renaming, adopting, and orphaning packages</title>
+<title>Moving, removing, renaming, orphaning, adopting, and reintroducing packages</title>
<para>
Some archive manipulation operations are not automated in the Debian upload
process. These procedures should be manually followed by maintainers. This
<title>Moving packages</title>
<para>
Sometimes a package will change its section. For instance, a package from the
-`non-free' section might be GPL'd in a later version, in which case the package
+<literal>non-free</literal> section might be GPL'd in a later version, in which case the package
should be moved to `main' or `contrib'.<footnote><para> See the <ulink
url="&url-debian-policy;">Debian Policy Manual</ulink> for
guidelines on what section a package belongs in. </para> </footnote>
the package (see the <ulink
url="&url-debian-policy;">Debian Policy Manual</ulink> for
details). You must ensure that you include the
-<filename>.orig.tar.{gz,bz2,lzma}</filename> in your upload (even if you are not uploading
+<filename>.orig.tar.{gz,bz2,xz}</filename> in your upload (even if you are not uploading
a new upstream version), or it will not appear in the new section together with
the rest of the package. If your new section is valid, it will be moved
automatically. If it does not, then contact the ftpmasters in order to
<para>
If for some reason you want to completely remove a package (say, if it is an
old compatibility library which is no longer required), you need to file a bug
-against <literal>ftp.debian.org</literal> asking that the package be removed;
+against <systemitem role="package">&ftp-debian-org;</systemitem> asking that the package be removed;
as all bugs, this bug should normally have normal severity.
The bug title should be in the form <literal>RM: <replaceable>package</replaceable>
<replaceable>[architecture list]</replaceable> --
if the removal request only applies to some architectures, not all. Note
that the <command>reportbug</command> will create a title conforming
to these rules when you use it to report a bug against the
-<literal>ftp.debian.org</literal> pseudo-package.
+<systemitem role="package">&ftp-debian-org;</systemitem> pseudo-package.
</para>
<para>
If you want to remove a package you maintain, you should note this in
the bug title by prepending <literal>ROM</literal> (Request Of Maintainer).
There are several other standard acronyms used in the reasoning for a package
-removal, see <ulink url="http://&ftp-master-host;/removals.html"></ulink>
+removal, see <ulink url="https://&ftp-master-host;/removals.html"></ulink>
for a complete list. That page also provides a convenient overview of
pending removal requests.
</para>
<literal>testing</literal> directly. Rather, they will be removed
automatically after the package has been removed from
<literal>unstable</literal> and no package in
-<literal>testing</literal> depends on it.
+<literal>testing</literal> depends on it. (Removals from
+<literal>testing</literal> are possible though by filing a removal bug report
+against the <systemitem role="package">&release-debian-org;</systemitem>
+pseudo-package. See the section <xref linkend="removals"/>.)
</para>
<para>
There is one exception when an explicit removal request is not necessary: If a
-(source or binary) package is an orphan, it will be removed semi-automatically.
-For a binary-package, this means if there is no longer any source package
-producing this binary package; if the binary package is just no longer produced
-on some architectures, a removal request is still necessary. For a
-source-package, this means that all binary packages it refers to have been
+(source or binary) package is no longer built from source, it will be removed
+semi-automatically. For a binary-package, this means if there is no longer any
+source package producing this binary package; if the binary package is just no
+longer produced on some architectures, a removal request is still necessary. For
+a source-package, this means that all binary packages it refers to have been
taken over by another source package.
</para>
<para>
</para>
<para>
Further information relating to these and other package removal related topics
-may be found at <ulink url="http://wiki.debian.org/ftpmaster_Removals"></ulink>
+may be found at <ulink url="https://wiki.debian.org/ftpmaster_Removals"></ulink>
and <ulink url="&url-debian-qa;howto-remove.html"></ulink>.
</para>
<para>
should only add a <literal>Provides</literal> relation if all
packages depending on the obsolete package name continue to work
after the renaming. Once you've uploaded the package and the package
-has moved into the archive, file a bug against <literal>ftp.debian.org</literal>
+has moved into the archive, file a bug against <systemitem role="package">&ftp-debian-org;</systemitem>
asking to remove the package with the
obsolete name (see <xref linkend="removing-pkgs"/>). Do not forget
to properly reassign the package's bugs at the same time.
</para>
</section>
+<section id="reintroducing-pkgs">
+<title>Reintroducing packages</title>
+<para>
+Packages are often removed due to release-critical bugs, absent maintainers,
+too few users or poor quality in general. While the process of reintroduction
+is similar to the initial packaging process, you can avoid some pitfalls by
+doing some historical research first.
+</para>
+<para>
+You should check why the package was removed in the first place. This
+information can be found in the removal item in the news section of the PTS
+page for the package or by browsing the log of
+<ulink url="https://&ftp-master-host;/#removed">removals</ulink>.
+The removal bug will tell you why the package was removed and will give some
+indication of what you will need to work on in order to reintroduce the package.
+It may indicate that the best way forward is to switch to some other piece of
+software instead of reintroducing the package.
+</para>
+<para>
+It may be appropriate to contact the former maintainers to find out if
+they are working on reintroducing the package, interested in co-maintaining
+the package or interested in sponsoring the package if needed.
+</para>
+<para>
+You should do all the things required before introducing new packages
+(<xref linkend="newpackage"/>).
+</para>
+<para>
+You should base your work on the latest packaging available that is suitable.
+That might be the latest version from <literal>unstable</literal>, which will
+still be present in the <ulink url="&snap-debian-org;">snapshot archive</ulink>.
+</para>
+<para>
+The version control system used by the previous maintainer might contain useful
+changes, so it might be a good idea to have a look there. Check if the <filename>control</filename>
+file of the previous package contained any headers linking to the version
+control system for the package and if it still exists.
+</para>
+<para>
+Package removals from <literal>unstable</literal> (not <literal>testing</literal>,
+<literal>stable</literal> or <literal>oldstable</literal>) trigger the
+closing of all bugs related to the package. You should look through all the
+closed bugs (including archived bugs) and unarchive and reopen any that were
+closed in a version ending in <literal>+rm</literal> and still apply. Any that
+no longer apply should be marked as fixed in the correct version if that is
+known.
+</para>
+</section>
+
</section>
<section id="porting">
<section id="non-free-buildd">
<title>Marking non-free packages as auto-buildable</title>
<para>
-By default packages from non-free are not built by the autobuilder
+By default packages from the <literal>non-free</literal> section are not built by the autobuilder
network (mostly because the license of the packages could disapprove).
To enable a package to be build you need to perform the following
steps:
<listitem>
<para>
Check whether it is legally allowed and technically possible
-to auto-build the package ;
+to auto-build the package;
</para>
</listitem>
<listitem>
<para>
Add <literal>XS-Autobuild: yes</literal> into the header part
-of <filename>debian/control</filename> ;
+of <filename>debian/control</filename>;
</para>
</listitem>
<listitem>
<itemizedlist>
<listitem>
<para>
-Does your NMU really fix bugs? Fixing cosmetic issues or changing the
-packaging style in NMUs is discouraged.
+Have you geared the NMU towards helping the maintainer? As there might
+be disagreement on the notion of whether the maintainer actually needs
+help on not, the DELAYED queue exists to give time to the maintainer to
+react and has the beneficial side-effect of allowing for independent
+reviews of the NMU diff.
+</para>
+</listitem>
+<listitem>
+<para>
+Does your NMU really fix bugs? ("Bugs" means any kind of bugs, e.g.
+wishlist bugs for packaging a new upstream version, but care should be
+taken to minimize the impact to the maintainer.) Fixing cosmetic issues
+or changing the packaging style (e.g. switching from cdbs to dh) in NMUs
+is discouraged.
</para>
</listitem>
<listitem>
<listitem>
<para>
If the maintainer is usually active and responsive, have you tried to contact
-him? In general it should be considered preferable that a maintainer takes care
-of an issue himself and that he is given the chance to review and correct your
-patch, because he can be expected to be more aware of potential issues which an
-NMUer might miss. It is often a better use of everyone's time if the maintainer
-is given an opportunity to upload a fix on their own.
+them? In general it should be considered preferable that maintainers take care
+of an issue themselves and that they are given the chance to review and
+correct your patch, because they can be expected to be more aware of potential
+issues which an NMUer might miss. It is often a better use of everyone's time
+if the maintainer is given an opportunity to upload a fix on their own.
</para>
</listitem>
</itemizedlist>
</para>
<para>
While preparing the patch, you should better be aware of any package-specific
-practices that the maintainer might be using. Taking them into account reduces
-the burden of getting your changes integrated back in the normal package
-workflow and thus increases the possibilities that that will happen. A good
+practices that the maintainer might be using. Taking them into account
+reduces the burden of integrating your changes into the normal package
+workflow and thus increases the chances that integration will happen. A good
place where to look for for possible package-specific practices is
<ulink url="&url-debian-policy;ch-source.html#s-readmesource"><filename>debian/README.source</filename></ulink>.
</para>
<para>
Those delays are only examples. In some cases, such as uploads fixing security
-issues, or fixes for trivial bugs that blocking a transition, it is desirable
+issues, or fixes for trivial bugs that block a transition, it is desirable
that the fixed package reaches <literal>unstable</literal> sooner.
</para>
version <literal>1.5+nmu1</literal>.
</para>
<para>
-If the package is a not a native package, you should add a minor version number
+If the package is not a native package, you should add a minor version number
to the Debian revision part of the version number (the portion after the last
hyphen). This extra number must start at <literal>1</literal>. For example,
if the current version is <literal>1.5-2</literal>, then an NMU would get
benefit of making it visually clear that a package in the archive was not made
by the official maintainer.
</para>
-
<para>
If you upload a package to testing or stable, you sometimes need to "fork" the
version number tree. This is the case for security uploads, for example. For
this, a version of the form
-<literal>+deb<replaceable>XY</replaceable>u<replaceable>Z</replaceable></literal>
-should be used, where <replaceable>X</replaceable> and
-<replaceable>Y</replaceable> are the major and minor release numbers, and
-<replaceable>Z</replaceable> is a counter starting at <literal>1</literal>.
-When the release number is not yet known (often the case for
-<literal>testing</literal>, at the beginning of release cycles), the lowest
-release number higher than the last stable release number must be used. For
-example, while Lenny (Debian 5.0) is stable, a security NMU to stable for a
-package at version <literal>1.5-3</literal> would have version
-<literal>1.5-3+deb50u1</literal>, whereas a security NMU to Squeeze would get
-version <literal>1.5-3+deb60u1</literal>. After the release of Squeeze, security
-uploads to the <literal>testing</literal> distribution will be versioned
-<literal>+deb61uZ</literal>, until it is known whether that release will be
-Debian 6.1 or Debian 7.0 (if that becomes the case, uploads will be versioned
-as <literal>+deb70uZ</literal>).
+<literal>+deb<replaceable>X</replaceable>u<replaceable>Y</replaceable></literal>
+should be used, where <replaceable>X</replaceable> is the major release number,
+and <replaceable>Y</replaceable> is a counter starting at <literal>1</literal>.
+For example, while Wheezy (Debian 7.0) is stable, a security NMU to stable for
+a package at version <literal>1.5-3</literal> would have version
+<literal>1.5-3+deb7u1</literal>, whereas a security NMU to Jessie would get
+version <literal>1.5-3+deb8u1</literal>.
</para>
</section>
same time. For instance, instead of telling the maintainer that you will
upload the updated
package in 7 days, you should upload the package to
-<literal>DELAYED/7</literal> and tell the maintainer that he has 7 days to
+<literal>DELAYED/7</literal> and tell the maintainer that they have 7 days to
react. During this time, the maintainer can ask you to delay the upload some
more, or cancel your upload.
</para>
The <literal>DELAYED</literal> queue should not be used to put additional
pressure on the maintainer. In particular, it's important that you are
available to cancel or delay the upload before the delay expires since the
-maintainer cannot cancel the upload himself.
+maintainer cannot cancel the upload themselves.
</para>
<para>
If you make an NMU to <literal>DELAYED</literal> and the maintainer updates
-his package before the delay expires, your upload will be rejected because a
+the package before the delay expires, your upload will be rejected because a
newer version is already available in the archive.
Ideally, the maintainer will take care to include your proposed changes (or
at least a solution for the problems they address) in that upload.
The package must have been available in <literal>unstable</literal> for 2, 5
or 10 days, depending on the urgency (high, medium or low). Please note that
the urgency is sticky, meaning that the highest urgency uploaded since the
-previous <literal>testing</literal> transition is taken into account. Those
-delays may be doubled during a freeze, or <literal>testing</literal>
-transitions may be switched off altogether;
+previous <literal>testing</literal> transition is taken into account;
</para>
</listitem>
<listitem>
The packages on which it depends must either be available in
<literal>testing</literal> or they must be accepted into
<literal>testing</literal> at the same time (and they will be if they fulfill
-all the necessary criteria).
+all the necessary criteria);
+</para>
+</listitem>
+<listitem>
+<para>
+The phase of the project. I.e. automatic transitions are turned off during
+the <emphasis>freeze</emphasis> of the <literal>testing</literal> distribution.
</para>
</listitem>
</itemizedlist>
</para>
<para>
Some further dependency analysis is shown on <ulink
-url="http://release.debian.org/migration/"></ulink> — but be warned, this page also
+url="https://release.debian.org/migration/"></ulink> — but be warned, this page also
shows build dependencies which are not considered by britney.
</para>
<section id="outdated">
The packages are looked at to determine whether they are valid candidates.
This gives the update excuses. The most common reasons why a package is not
considered are too young, RC-bugginess, and out of date on some arches. For
-this part of britney, the release managers have hammers of various sizes to
-force britney to consider a package. (Also, the base freeze is coded in that
-part of britney.) (There is a similar thing for binary-only updates, but this
-is not described here. If you're interested in that, please peruse the code.)
+this part of britney, the release managers have hammers of various sizes,
+called hints (see below), to force britney to consider a package.
</para>
<para>
Now, the more complex part happens: Britney tries to update <literal>testing</literal>
</para>
<para>
If you want to see more details, you can look it up on <ulink
-url="http://&ftp-master-host;/testing/update_output/"></ulink>.
+url="https://&ftp-master-host;/testing/update_output/"></ulink>.
</para>
<para>
The hints are available via <ulink
-url="http://&ftp-master-host;/testing/hints/"></ulink>.
+url="https://&ftp-master-host;/testing/hints/"></ulink>, where you can find
+the
+<ulink url="https://&ftp-master-host;/testing/hints/README">description</ulink>
+as well. With the hints, the Debian Release team can block or unblock
+packages, ease or force packages into <literal>testing</literal>, remove
+packages from <literal>testing</literal>, approve uploads to
+<link linkend="t-p-u">testing-proposed-updates</link> or override the urgency.
</para>
</section>