Hi all, Some clarifications..
> Hi Emmanuel, > > I'm happy to find someone from the java side, especially from apache here > on a > debian list. Perhaps you could help us as an intermediator and raise > awareness > for the pain we have when dealing with java in general and often the ASF > in > special. > > Some points that come to my mind: > > - Dependencies with fixed versions instead of version ranges: We aim to > have one or a few versions of a software in the archive. This is going to be difficult to get projects to do that.. > - Use version numbers in a sane way: http://semver.org This is best practice in the Maven world as well. But not enforced or so and therefore often not really followed.. > - Correct license information. Difficult. In fact many components in the Central repo declare one version but source code scans have revealed different licenses in different files. This analysis is done on a regular base by Sonatype (who run the Central Repository) and exposed to Nexus users (which is a repository manager software used to host a repository yourself under your own control) . > - Release source tarballs, not only binaries to maven central. This has been a requirement for open source components in Central for years. You can find them with the -sources classifier in a jar file. E.g. looking at http://search.maven.org/#artifactdetails%7Ccom.google.inject%7Cguice%7C3.0%7Cjar you can find the java doc and source code for guice in guice-3.0-javadoc.jar and guice-3.0-sources.jar > - Sign your artifacts with gpg keys that are connected to the > web-of-trust. Signing is a requirement for deployment to Central. See https://docs.sonatype.org/display/Repository/Sonatype+OSS+Maven+Repository+Usage+Guide If there is interest in the debian community to have a controlled repository server running that only provides approved jars you could run Sonatype Professsional. As an open source project you could get a free license. If there is any interest in that please contact me at manf...@sonatype.com Manfred http://www.simpligility.com -- To UNSUBSCRIBE, email to debian-java-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/42e65c03160afadb77a45d78c8a83897.squir...@www.mosabuam.com
