On 06.12.2016 18:59, Thorsten Glaser wrote: > On Tue, 6 Dec 2016, Emmanuel Bourg wrote: > >> issues. if a package often breaks the compatibility and isn't security >> sensitive, then maintaining more than one version is probably more >> efficient (jgoodies and guava fall into this category). > > What is “security sensitive”? I’d not dare to put numbers to such > a denomination.
Bouncycastle is a prime example of security sensitive Java software while qdox, ASM or any Java package that just provides some sort of API is less likely vulnerable. It's a matter of balancing the pros and cons and we have already removed duplicate libraries or reduced dependencies during the Stretch release cycle. See [1] for a quick overview for some of them. > No idea whether maintaining several versions is really worth it. > I mean, jgoodies looks upstream-dead, so this is a good argument > in favour of both JGoodies' upstream has discontinued to release his software as free software but he is still very active. [2] Hence we won't have to suffer from future JGoodies transitions, although the reason is rather sad. > ⓐ maintain multiple versions of our own > > ⓑ package the last version of it, maintain that, and patch > all applications to use it (and we expect no further/new > breakage, because there will be no new upstream version) I think we can expect that this is the last version of JGoodies, so maintaining it will become easier until the reverse-dependencies decide to switch to another library. Regards, Markus [1] https://wiki.debian.org/Java/Oldlibs [2] http://www.jgoodies.com/downloads/libraries/
signature.asc
Description: OpenPGP digital signature
