Manfred Moser:
> Some clarifications..
dito, thx for your reply.
> > - Release source tarballs, not only binaries to maven central.
>
> This has been a requirement for open source components in Central for
> years. You can find them with the -sources classifier in a jar file. E.g.
> looking at
> http://search.maven.org/#artifactdetails%7Ccom.google.inject%7Cguice%7C3.0%
> 7Cjar you can find the java doc and source code for guice in
> guice-3.0-javadoc.jar and guice-3.0-sources.jar
I was thinking about tar.{gz|bzip2|xz|...} source archives on the website of
the project, but that's no so important. We could enhance our tools to also
work on .jar files. Some people might have strong feelings about the zip
format.
However I'm not sure whether a source.jar produced by maven can be used to
build a Debian package. I assume that generated java code from tools like
protobuf or jflex is included in the source.jar? We don't want generated
source code but the "real" source files written by humans. Are those files,
the protobuf and jflex definition files included in a source.jar?
> > - Sign your artifacts with gpg keys that are connected to the
> > web-of-trust.
>
> Signing is a requirement for deployment to Central. See
> https://docs.sonatype.org/display/Repository/Sonatype+OSS+Maven+Repository+
> Usage+Guide
I've skimmed through this site and through "How To Generate PGP Signatures
With Maven". The site does not mention the web-of-trust. I believe it would be
of great service for the java world, if this very important site could mention
the importance of getting a PGP/GPG key signed. An unsigned key does not
provide any security. It only lures people in a false sense of security.
> If there is interest in the debian community to have a controlled
> repository server running that only provides approved jars you could run
> Sonatype Professsional. As an open source project you could get a free
> license. If there is any interest in that please contact me at
> manf...@sonatype.com
Thank you for the offer, but Debian does only use free software tools. And the
tasks solved by your repository server and the Debian infrastructure are very
different.
However I'm looking forward to a day, when we can provide a maven repository
server, maybe yours, as an additional service. But that requires extra work.
Regards,
Thomas Koch, http://www.koch.ro
--
To UNSUBSCRIBE, email to debian-java-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201303220922.55025.tho...@koch.ro
