On Feb 6, 2011, at 10:29 PM, Vincent Fourmond wrote: > On Sun, Feb 6, 2011 at 10:15 PM, Niels Thykier <ni...@thykier.net> wrote: >>> Here are the main objection that have been raised (by some Ubuntu guys) >>> about the way we are making our packages: >>> >>> 1. "It looks like they're bundling their own Tomcat. We haven't allowed >>> this in the past. Ask that they use our version" >>> >>> 2. "They bundle a TON of JARs, many of which we provide. We may be able to >>> work with this, but ideally you will want to use our jars where possible." >>> >> >> I have to admit, these objections applies to Debian too. One of the >> issues with embedding other libraries/applications into another >> application is that it makes it harder to for us to fix security issues. >> Particularly we have to trace with packages that embeds what library >> and check whether each of those packages have that vulnerability. I hope >> you can see that this will not work very well us if a lot of our package >> do that. >> >> In fact, in my experience Debian tends to be more zealous about this >> than Ubuntu. > > I want to offer definite confirmation on this. We don't use embedded > JARs in a source package. We absolutely need every single package > compiled from source, and that includes their dependencies. That's why > packaging Java applications for Debian is so much of a pain ;-)... > More on that there: > > http://vince-debian.blogspot.com/2009/03/java-packaging-nightmare.html
Well, if packaging Java applications in Debian is a nightmare, shouldn't be Debian's responsibility to make it less of a nightmare to its developers or contributors ? > BTW, redistributing JAR files is not always a very good idea: > imagine you have a JAR of a (L)GPLed library, and for a reason or > another you lose the source (if only because you never had it as you > got binary JARs from upstream). Then, you fail the terms of the GPL > and cannot redistribute the JARs, since you would be at loss to > provide the source. That's not how we do things in the Java world, especially when we are using Maven. Note that when using Maven, those jars come usually from http://repo1.maven.org/, so the responsibility for providing the source code for these jars actually falls upon the owner of maven.org, which happens to be jvan...@codehaus.org - not upon us. (But same for the pre-maven days when people used to embed third-party jars in a lib/ directory in their sources - with even less tracability for those jars). S. -- Stefane Fermigier, Founder and Chairman, Nuxeo Open Source, Java EE based, Enterprise Content Management (ECM) http://www.nuxeo.com/ - +33 1 40 33 79 87 - http://twitter.com/sfermigier Join the Nuxeo Group on LinkedIn: http://linkedin.com/groups?gid=43314 New Nuxeo release: http://nuxeo.com/dm54 "There's no such thing as can't. You always have a choice." -- To UNSUBSCRIBE, email to debian-java-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/64abc203-abe7-43ff-a908-c022b6907...@nuxeo.com
