-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
severity 221236 grave
thanks
Benoit Joly <[EMAIL PROTECTED]> writes:
> Hi Arnaud,
Hi Benoit,
> I'm trying to figure out the reasons to rebuild the jar from sources.
Are Debian Policy and DFSG good reasons? ;-)
> Java bytecode is portable and the jakarta-log4j1.2 source package
> includes the jar (upstream includes both the sources and the jar).
I see references in the Debian Java Policy about building the packages
- From sources, in the sarge policy, in the Debian Policy and in the DFSG
(#2), I also have some discussions on #debian-devel, here are some
arguments (the last one is the more important: DFSG#2):
. 2.5. Main, contrib or non-free[1]
If your source package can compile (correctly) only with non-free
tools (the only free Java compilers seem to be guavac, gcj and
jikes, it cannot go to main. If your package itself is free, it must
go to contrib.
. Chapter 4. Advices to Java packagers[2]
Source package handling is painful, since most Java upstream
programs come with .class files. I suggest to make a new .orig
tarball after cleaning them, otherwise, dpkg-source will complain.
I understand these statements as 'build your package from sources!'
. you can read the point 4 of this document:
http://release.debian.org/sarge_rc_policy.txt
. Debian-Policy:
4.2 Package relationships[3]
If build-time dependencies are specified, it must be possible to
build the package and produce working binaries on a system with only
essential and build-essential packages installed and also those
required to satisfy the build-time relationships (including any
implied relationships). In particular, this means that version
clauses should be used rigorously in build-time relationships so
that one cannot produce bad or inconsistently configured packages
when the relationships are properly satisfied.
. Security-updates:
How would you patch the package if there was a security update? Idem
if there was something Debian specific to apply?
. Trusting the upstream:
Is the jar building upstream is really the one that we can build from
sources? Here, you can have some surprises! Aka if the package depends
of libraries not in the debian repository.
. Debian Free Software Guidelines[4]
2 Source Code
The program must include source code, and must allow distribution in
source code as well as compiled form.
Yes, source code is shipped with log4j, but your package does not
build from sources, so I'm not sure the binary is the one that build
from these sources.
> I have seen many java libraries not building jar if they are provided
> (many jakarta-commons libraries do not rebuild).
I planed to ask some clarifications of the debian java policy about a
'build from sources' but I don't think it's necessary. I plan to file RC
bugs on java packages not building from sources (that's why I'm Cc'ing
to debian-java).
Can you tell me which package does not build from sources?
> Can you give me a good reason to build log4j from sources?
Done ;-)
> thanks,
Cheers,
> /Benoit
[1] http://www.debian.org/doc/packaging-manuals/java-policy/x138.html
[2] http://www.debian.org/doc/packaging-manuals/java-policy/c173.html
[3] http://www.debian.org/doc/debian-policy/ch-source.html#s-pkg-relations
[4] http://www.debian.org/social_contract
- --
~/.signature not found
... but hey, this is Linux, isn't it meant to do infinite loops in 5
seconds?
-- Jonathan Oxer in the apt-cacher ChangeLog
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAepzk4vzFZu62tMIRAjQOAKCoGtfrgAEGcUMXF9A/rXJyxcl2dACfV57d
2goArWUp4rt9oppqLuOBTjY=
=aOfF
-----END PGP SIGNATURE-----
