On Sun, Feb 6, 2011 at 10:15 PM, Niels Thykier <ni...@thykier.net> wrote: >> Here are the main objection that have been raised (by some Ubuntu guys) >> about the way we are making our packages: >> >> 1. "It looks like they're bundling their own Tomcat. We haven't allowed >> this in the past. Ask that they use our version" >> >> 2. "They bundle a TON of JARs, many of which we provide. We may be able to >> work with this, but ideally you will want to use our jars where possible." >> > > I have to admit, these objections applies to Debian too. One of the > issues with embedding other libraries/applications into another > application is that it makes it harder to for us to fix security issues. > Particularly we have to trace with packages that embeds what library > and check whether each of those packages have that vulnerability. I hope > you can see that this will not work very well us if a lot of our package > do that. > > In fact, in my experience Debian tends to be more zealous about this > than Ubuntu.
I want to offer definite confirmation on this. We don't use embedded JARs in a source package. We absolutely need every single package compiled from source, and that includes their dependencies. That's why packaging Java applications for Debian is so much of a pain ;-)... More on that there: http://vince-debian.blogspot.com/2009/03/java-packaging-nightmare.html BTW, redistributing JAR files is not always a very good idea: imagine you have a JAR of a (L)GPLed library, and for a reason or another you lose the source (if only because you never had it as you got binary JARs from upstream). Then, you fail the terms of the GPL and cannot redistribute the JARs, since you would be at loss to provide the source. Cheers, Vincent -- To UNSUBSCRIBE, email to debian-java-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTinMW-SZ1sJ=6zdqvo1jvewpzn7p8jt0whwnk...@mail.gmail.com
