policy - Debian Perl Group Policy


Project Internal Policy

This document describes how we do stuff internally. It is of course work in progress and probably always will be.

We are using git repositories to keep the packages under revision control. Details of working with these repositories are outside the scope of this document; it is recommended that you read the Debian Perl Group Git Guide (


1. Mandatory mailing lists and such
2. debian/changelog handling and versioning
3. debian/control handling
4. debian/copyright handling
5. debian/watch handling
6. Package Naming Policy
7. Test suites
8. Embedded third-party modules in inc/
9. Security Hardening Build Flags for XS Modules
10. Debian Maintainers practice
11. Release Process
12. Dual-lived Modules

Mandatory mailing lists and such

All members of our group should be subscribed to and read this list (at least skim all messages for Debian Perl Group related stuff). Additionally, every member should be subscribed to to receive bug reports and similar information.

All members are encouraged to install and use our packages. They are also encouraged to check our git repositories ( You can watch the work on our git repositories via gitlab's watch feature. The commit messages are also sent to #debian-perl at

debian/changelog handling and versioning

We use the debian revision to count our releases to the debian archive, not internal steps. So if and only if you do the first change after a release, you add another debian/changelog entry (dch -i). Note that the name and email address in the debian/changelog entry (i.e. after --) should be present in Uploaders: in debian/control (otherwise lintian will think that you are doing an NMU unless the first line is * Team upload).

If you change something that has to be noted in debian/changelog, add a line to the current entry (dch -a). The [firstname lastname] markers added by dch are okay to give credit to non-upload-permitted contributors (also for the initial changelog entry).

Important NOTES to other group members may be placed at the top of the current changelog entry of packages that are not yet ready for upload (e.g. why a package is still UNRELEASED etc.).

debian/control handling

When pushing a package's git repository for the first time change the Maintainer field to "Debian Perl Group <>" and put your own email address and name in the Uploaders field to show that you feel responsible for the package.

When you make a significant modification to a package in the repository, add your name to the Uploaders field. You should keep the names of other contributors who added their names before you.

The packages maintained by the group should contain the following fields:


Perl packages should be uploaded to the perl section.


Most Perl packages should be of priority optional.


All group-maintained packages list "Debian Perl Group <>" as the maintainer.


Contains the list of contributors to the specific package, i.e. persons interested in co-maintaining it in the future.

Build and runtime dependencies

We try to support backporting our packages to oldstable/stable where possible. This affects handling of versioned (build) dependencies.

At some point (usually a year after a release) oldstable will be removed from the archive; at that point support for backporting to oldstable becomes moot.

Helpful tools: "rmadison package" for seeing the package releases in all archive areas; "corelist -a Module::Name" to find out when a dual-lifed module was integrated into perl core.

We try to support bootstrapping efforts, so if build dependencies are exclusively needed for the build tests, they should be annotated with <!nocheck>.


An URL pointing to the package's git repository. That is, for a package called libsomething-perl,


An URL pointing to the public Web interface where this package's base location in the repository can be browsed. For libsomething-perl, it would be


The URL for this module's upstream homepage. For CPAN modules, unless the author has a specific homepage, you can point to


If the package uses the autopkgtest framework, a Testsuite field with the value autopkgtest-pkg-perl should be added.


Perl packages normally don't need root to build so the Rules-Requires-Root field should be set to no unless it's really needed, in which case it should be set to an appropriate value, see the Debian policy at

The other usual fields should, of course, be present and have sensible values. In particular, try to stick to the highest published Standards-Version and a modern enough debhelper compatibility level. Typically we would use

 Build-Depends: debhelper-compat (= 13)

in debian/control and no debian/compat file.

The pkg-perl group members prefer to directly use debhelper and dh(1) when packaging. We suggest you don't use cdbs as part of the build process for packages intended to be group-maintained.

debian/copyright handling

Each package should have the copyright file debian/copyright following the copyright-format 1.0 or newer. copyright-format 1.0 as released together with Debian policy 3.9.3 is documented at

The most recent copyright-format specification is referenced in Debian policy under

debian/watch handling

Each package should have a watch file (debian/watch) to make manual and automatic checking for new upstream versions easier. The recommended format for a watch file for a typical module libfoo-bar-perl hosted on CPAN is:

 version=4   .*/Foo-Bar-v?@ANY_VERSION@@ARCHIVE_EXT@$

Package Naming Policy

Where possible, packages should be named in a consistent manner, per the Debian Perl Policy, section 4.2: Module Package Names.

Packages are named differently depending on whether their primary purpose is considered to be a library or an application. The Comprehensive Perl Archive Network (CPAN) is the upstream source of the great majority of our packages. CPAN's notion of a "distribution" is roughly compatible with Debian's notion of a "package", and so, packages are generally named after the distributions they came from.


Suppose there is a hypothetical package called Widget::Factory, which is a library that exposes an interface for other Perl programs. This package also contains a well-known application called widgetmaker. In this case, we should:

  1. Have a source package called libwidget-factory-perl
  2. Produce a single binary package: libwidget-factory-perl
  3. Set up the libwidget-factory-perl binary package so that it also:
      Provides: widgetmaker

Some consideration is required when other packages may place dependencies on the application component of a package. In this case, we can use a versioned Provides.


Occasionally, we encounter Perl distributions that are intended to be used as standalone applications, rather than libraries. These distributions are frequently, but not always, in the App:: namespace. Developers must use their own judgment to decide if this is the case, but if there is any doubt, the issue should be discussed on the mailing list.

Suppose there is a hypothetical distribution called Robot::Maker, which is a suite of software assisting with the design of robot, best known by its users as robotmaker. Since this is an application, we should:

  1. Produce a source package called robotmaker
  2. Produce a binary package called robotmaker
  3. If other libraries depend on the interface provided by library components in this package, but these files are distributed in the same upstream distribution, then we should also produce a binary package called: librobot-maker-perl or similar, which will be a dependency of the robotmaker package.

Test suites

CPAN distributions typically come with a test suite that is run at build time. As a general rule, we want to run as many tests as possible in order to catch errors. Some details need to be taken into account:

Embedded third-party modules in inc/

Some distributions ship embedded modules in inc/, e.g as part of the build system or for testing. While it is OK to have own code in inc/ to extend an existing build system (e.g. Module::Build), an embedded third-party module used for building or testing shouldn't be used but instead packaged in Debian and added as a Build-Depends{,-Indep} entry, while at the same time making sure the embedded version isn't used during package build.

There are some exceptions to this rule, currently:

Example of handling inc/ at build time

Say a package includes libdevel-checklib-perl in inc/. We should make sure the embedded version isn't used, and set appropriate build-depends:

    Build-Depends: ..., libdevel-checklib-perl, ...

# we want to use the system version of included modules, so
# we move the inc away and move it back afterwards
	[ ! -d $(CURDIR)/ ] || mv $(CURDIR)/ $(CURDIR)/inc

	[ ! -d $(CURDIR)/inc ] || mv $(CURDIR)/inc $(CURDIR)/

Security Hardening Build Flags for XS Modules

XS Modules (i.e using arch:any) should use hardening build flags.

As a rule, we enable all hardening flags by setting DEB_BUILD_MAINT_OPTIONS to hardening=+all:

    export DEB_BUILD_MAINT_OPTIONS = hardening=+all

However, some hardening flags can cause issues on some architectures, or break the build altogether.

In that case, it is acceptable to enable only a subset of flags for the package:

    export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow

Please consider re-enabling all the flags vi +all whenever there is a new upstream release in the module or a newer GCC version in Debian.

Debian Maintainers practice

The Debian project has adopted the Debian Maintainers (DM) concept (cf. in Summer 2007. The pkg-perl group doesn't see this approach fit for its workflow and its use is discouraged.

Release Process

If you are a DD, upload but be prepared to receive (at least part of) the blame. If you are not, some DD in the Group will surely sponsor the package. They will check the package first, too, but make sure there is no reason to complain. If you have a package ready for upload, ask at or in the channel #debian-perl at in case noone picks up the ready-for-upload package from any of PET (past), DMD (present), or tracker (future).

Always feel free to ask others to check a package if in doubt.

Dual-lived Modules

Dual-lived modules (those which are available separately from CPAN as well as in perl itself) can be packaged separately in Debian if and only if the version available on CPAN is greater than that in core, and there is a need for that version in Debian.

When Depending on such packages, declare the package name and version as normal (perl now supports versioned Provides, so separate packages will only be pulled in if needed).

When perl is updated with newer dual-lived modules versions, the separately packaged modules become obsolete. Such packages should not be shipped in a stable release, and should be removed from the archive if there has been no upstream release within two years.





The canonical source of this document can be found at:


Copyright (c) 2004-2020 by the individual authors and contributors noted above. All rights reserved. This document is free software; you may redistribute it and/or modify it under the same terms as Perl itself

Perl is distributed under your choice of the GNU General Public License or the Artistic License. On Debian GNU/Linux systems, the complete text of the GNU General Public License can be found in `/usr/share/common-licenses/GPL' and the Artistic License in `/usr/share/common-licenses/Artistic'.