Set up Debian Packaging

[Aequitosh]

Set up initial Debian packaging for debsbom.

Note: Depends on PRs #155 and #156.

In summary, this PR does the following:

• Create a source package called debsbom
  • All dependencies currently available in Debian trixie are used. Some version requirements might be a bit more strict than necessary at the moment, at least when compared to the debian/control files of other Python packages in Debian. Not sure what the actual policy is here; I decided to remain more specific here instead of being too lax. It's always easier to relax version requirements later on.
  • Note that there is currently no dependency on python3-spdx-tools. This is deliberate, as this doesn't (yet?) exist in trixie as of writing.
• Create a binary package called debsbom, containing the debsbom CLI
  • Tests that require network access are disabled, as per Debian policy.
  • This currently also doesn't depend on python3-spdx-tools, for the same reasons as stated for the source package above.
• Create a binary package called python-debsbom-doc, containing the docs (duh)
  • Sphinx is prevented from doing its intersphinx mapping magic—in other words, it is denied from accessing the network as well, as per Debian policy.

As always, the commit messages contain additional (all necessary) details. They should hopefully serve as enough of an explanation of everything—if not, please don't hesitate to give a holler.

The only thing lacking here is the debian/changelog file, I'll leave that to you. 😉

Also, as mentioned off-GitHub, this PR shan't be merged; instead, its commits will (eventually) land in the Debian Salsa repository for debsbom. If there's anything you need me to change or adapt beforehand, please let me know.

---

(Also, should go without saying, but please keep my Signed-off-by trailers and such around when you yeet this onto Salsa, thanks! 😇)

[fmoessbauer]

Many thanks for providing this debianization. Once we have the next release, I will integrate that into the repo on salsa.

PS: Of course I will keep your signed-off.

[fmoessbauer]

Hi @Aequitosh , how did you create this list of copyright holders? A quick check on my side just has the following ones:

git shortlog --summary --numbered --email
   250  Felix Moessbauer <felix.moessbauer@siemens.com>
   106  Christoph Steiger <christoph.steiger@siemens.com>
    39  Tamino Larisch <tamino.larisch@siemens.com>
     9  Max R. Carrara <max@aequito.sh>
     2  Syeda Shagufta Naaz <syedashagufta.naaz@siemens.com>
     2  badrikesh prusty <badrikesh.prusty@siemens.com>

[Aequitosh]

Using decopy. Since it seemed like the only tool to actually generate files without distorted or otherwise buggy / glitchy output, and also because it seemed to be in line with black's copyright file, I assumed it was fine. Fine here meaning that the people listed there were correctly attributed.

You did just make me double-check though, and other Python packages' copyright files don't look similar at all... Now I do wonder why / how decopy generated the list the way it did. Surely we don't have to attribute some Python core team members and other Python package developers / maintainers here, do we?

I'll see if I can find a different tool that's maybe a bit more transparent for copyright review. I'll fix things up here too.

[fmoessbauer]

Same here, where does this come from?

[Aequitosh]

See above.

[fmoessbauer]

Do we really need parallel builds? If so, we probably would want to implement it similar to the example in the policy 4.9.1:

ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
    NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
    MAKEFLAGS += -j$(NUMJOBS)
endif

[Aequitosh]

Hm, given that the docs aren't that huge, I might just toss the flag out and keep things simple.

Thanks for pointing me to that part of the policy though, that might actually be helpful for some other (unrelated) stuff I've been working on here and there!

[Aequitosh]

@fmoessbauer Quick update on the debian/copyright stuffs, posting here so it doesn't get lost in the PR inline comment history: Turns out that decopy is also a bit janky (or at least, it's a bit unintuitive).

I've ran the initial generation of debian/copyright this way:

decopy debian src tests scripts

Simply because its manpage states:

The files or directories specified as positional arguments can be used to limit the processing to the indicated subset instead of processing the complete source tree.

However, when running it with --verbose --debug, it apparently still included my .venv/, .pytest_cache/ and a couple other directories. No wonder it found attributions that don't really make sense.

After fiddling around with it for a bit, I figured out that supplying any positional arguments at all messes with its in-/exclusion logic. The correct way to hold it is as follows:

decopy --exclude '^(build|\.venv|\.mypy_cache|\.pytest_cache|\.github|dist)/*'

Add any additional directories to the regex that you want to exclude.

Note that if you supply any positional arguments, --exclude is seemingly ignored. Sigh.

Anyhow, the command above yields the following:

Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Source: TODO

Files: *
Copyright: The contribution was provided directly to me by some other
           text extraction from source packages
License: Expat
Comment: No explicit license found, using license(s) from:
 LICENSE

Files: Dockerfile
       LICENSE
       docs/Makefile
       docs/source/conf.py
       scripts/*
       src/debsbom/__init__.py
       src/debsbom/apt/*
       src/debsbom/bomreader/*
       src/debsbom/bomwriter/*
       src/debsbom/cli.py
       src/debsbom/commands/*
       src/debsbom/download/*
       src/debsbom/dpkg/*
       src/debsbom/export/*
       src/debsbom/generate/*
       src/debsbom/merge/*
       src/debsbom/repack/*
       src/debsbom/resolver/*
       src/debsbom/sbom.py
       src/debsbom/snapshot/client.py
       src/debsbom/util/*
       tests/conftest.py
       tests/test_download.py
       tests/test_dpkg.py
       tests/test_export.py
       tests/test_generation.py
       tests/test_merge.py
       tests/test_snapshot.py
       tests/test_source_merger.py
Copyright: 2025, Siemens
License: Expat

Files: debian/*
License: Expat
Comment: No explicit license found, using license(s) from:
 LICENSE

License: Expat
Comment: Add the corresponding license text here

This obviously makes much more sense, though it needs a little tidying up. (I don't know why I looked at the initial copyright file and thought it was fine.)

[Aequitosh]

Alright, everything should hopefully be correct now. To summarize:

• Removed SPHINXOPTS from debian/rules in order to keep the build process simple; parallelizing building the docs isn't necessary.
• Fixed debian/copyright.
  • Note that I added a line saying debsbom contributors, sort of as a catch-all clause; maybe you want to have an AUTHORS file or something in the future that you can point to. That might make maintenance a little easier (as spotted here).
  • Might still wanna double-check this one again, just to be sure.

[fmoessbauer]

Many thanks @Aequitosh for preparing the initial packaging. I kept your parts as-is and added further packaging tweaks (and adoptions to the latest version) on top. The result is now maintained on https://salsa.debian.org/python-team/packages/debsbom and also available under https://mentors.debian.net/package/debsbom/.