Re: maven2 for Debian
On Mon, Mar 05, 2007 at 09:28:11AM -0800, manfred@mosabuam.com wrote:
> Quoting Michael Koch <konqueror@gmx.de>:
>
> >Debian always installs jars with ther version number. The files without
> >version numbers are just symlinks to the latest version.
>
> Ah... thats good to know.
>
> >Debian only packages one (the latest) version of a Java software.
> >Everthing else would be a horror to support, security- and bloat-wise.
>
> I understand that for acutal programs. However can that work for
> libraries. You might have to perfectly fine and stable GUI programs.
> E.g. one using Java 1.4 features and another using brand spanking new
> Java 6 features and the share the need to the same library but in a
> VERY different version. Unless we somehow keep both libraries around
> you can not use both programs.
As Marcus wrote in another mail for some cases we have different version
of a library in Debian.
> >We patch the Java software to all use the same version of a Java
> >library.
>
> Wow.. from my refactoring experience in Java that should potentially
> be a LOT of work. Its a bit like redoing the whole upstream release
> and QA cycle. Hats off to you all.
>
> >This is Debian handles it. And its the only possible way for Debian
> >because of long release cycles with security support and all that.
> >This means a lot of work.
>
> I dont think this can be the only option. Two very different version
> of a library can still be very stable and secure and useful for
> different programs. Is there any chance that this approach is being
> reconsidered?
I dont think so. Every duplicated library can create duplicated work for
the Debian security work. Consider some artificial java library which
handles URLs and their content as an example. Due to a small bug in URL
handling this library allows access to system restricted files. This
library is now in 3 different versions in Debian. In a stable Debian
release the Debian security team has to fix, test, upload 3 libraries
instead of the only one we normally have in the archive. Think of a
library that is 10 or 20 times in the archive. Debian is a free-time
project. Even the security team does everything in their free-time. We
should not put more burden on them then really needed.
Another problem is archive bloat. I know its a minor reason but its
still reason. Consider a software that uses 10 MB of archive space for
one version. Now consider this software to be in Debian 10 times.
You get the idea.
> >With Maven we will give the user the opportunity to be more uptodate
> >with Java software installed side-by-side with Debian packages.
>
> Yeah.. but Maven does not do all the nice integration like executable
> in /usr/bin, desktop icons, version upgrade notification and so on.
> Packaging the applications is still the way to go as far as I
> understand to get it to the end user in a seamless way.
You cant package the applications without packaging the needed
libraries. One of main ideas behind Debian is that everything can be put
onto a CD/DVD and be done. You don't need to download anything from the
web (like maven does). The same is true for building packages. The
archive must be self-contained. Debian packages may not depend on some
third-party download sites.
Cheers,
Michael
--
.''`. | Michael Koch <konqueror@gmx.de>
: :' : | Free Java Developer <http://www.classpath.org>
`. `' |
`- | 1024D/BAC5 4B28 D436 95E6 F2E0 BD11 5923 A008 2763 483B
Reply to: