hello Sebastiaan, Tony, Thorsten, Emmanuel, Sebastiaan Couwenberg <sebas...@xs4all.nl> writes: > On 4/1/24 8:49 AM, Felix Natter wrote: >> tony mancill <tmanc...@debian.org> writes: >>> In my opinion we should be remove the outdated freeplane package from >>> Debian. >> the only thing that speaks against this is the user comment in #1030150 >> [1]. Is it true that "as Debian (and many derivates) still ship with old >> JDK"? [2] > > It might be feasible to patch freeplane to use Maven for the Debian package > build. This was suggested in the Gradle packaging status thread some time > ago [0]. > > Osmosis 0.49 also required a more recent Gradle to build, and adding a > patch to use Maven for the Debian package build was reasonably simple. > > [0] https://lists.debian.org/debian-java/2022/08/msg00010.html
thank you for the suggestion. In addition to a complex gradle build system [1] using the latest features, there are also a number of new dependencies. The biggest one (I think) is twemoji [2]. [1] https://github.com/freeplane/freeplane/blob/1.11.x/freeplane/build.gradle etc. [2] #878875 (Freeplane >= 1.9 can add any unicode emoji as an icon) I *might* succeed packaging Freeplane with maven, but then it might not be compatible at all due to some missing gradle build system quirks, which I think is worse than using the upstream .deb. @Thorsten: Yes, having a 100% free build in Debian is nice, but I do not see this happening :( I agree with @Emmanuel that the upstream .deb is the best solution we can get (and given the nature of java, this is extremely easy to install for users and upstream to provide) :) However, in #1030150 Alex says: > as Debian (and many derivates) still ship with old JDK, there is in my eyes > no reason to remove > Freeplane because of that. Also it would be a shame if it maybe would vanish > from it, in that way. Is this really true for Debian [3]? [3] https://packages.debian.org/search?keywords=jre&searchon=names&suite=stable§ion=all I think that if we do not remove freeplane from Debian, people are "forced" to keep old unsupported JDK/JRE versions, which is a security risk IMHO. Do you agree, or is an outdated Debian package even more secure than an up-to-date upstream package as "Rpnpif" says in #1030150: > I would agree with alex. Encouraging users to take packages out of > Debian's repositories is a security risk for their OS. The current case > with xz demonstrates this. My opinion does not mean that upstream should > not offer an alternative and packages. Cheers and Best Regards, Felix -- Felix Natter
