it looks like there are so far no guideline / recommendation regarding the choice to package an app from the Debian package or from binary / source code directly grab from the project.
I think it’s good to let a full freedom to the packager, but good to remind pros and cons of the 2 solutions in https://yunohost.org/#/packaging_apps to make him aware.
In short what’s at stakes (to be completed) and associated tips :
Pros to package from upstream
- faster to provide last version (counterargument : check whether the package is in backports and how reactiv is the maintener wrt previous upgrades)
Pros to package from Debian
- Debian QA :
- Debian Maintainer can be a first barrier to check for security leaks, anti-features, privacy threats…
- privacy leaks are considered as bugs and usually patched by Debian
- better integration in Debian ecosystem
- conf files are in /etc/ , binaries in /bin/ … easier for admins who are used to dig (a bit) in the command line, help to keep a structured system.
- lighter disk usage (ex: avoid to duplicate libraries) (counterargument : several libraries (npm, …) are also well managed by YNH
- Debian QA :
What would be the YNH policy in case for one software 2 YNH packages are proposed : 1 with upstream sources, 1 based on Debian packages ? AFAIK YNH cannot manage conflicts between apps ?
Thanks for your opinions/lights !