Re: maven2 for Debian

[manfred@mosabuam.com]

Quoting Michael Koch <konqueror@gmx.de>:

> > I dont think this can be the only option. Two very different version
> > of a library can still be very stable and secure and useful for
> > different programs. Is there any chance that this approach is being
> > reconsidered?
>
> I dont think so. Every duplicated library can create duplicated work for
> the Debian security work. Consider some artificial java library which
> handles URLs and their content as an example. Due to a small bug in URL
> handling this library allows access to system restricted files. This
> library is now in 3 different versions in Debian. In a stable Debian
> release the Debian security team has to fix, test, upload 3 libraries
> instead of the only one we normally have in the archive. Think of a
> library that is 10 or 20 times in the archive. Debian is a free-time
> project. Even the security team does everything in their free-time. We
> should not put more burden on them then really needed.

I understand that and I agree. However doesn't the change of library  
invalidate the upstream QA process that includes security and  
potentially is more extensive than the Debian one (at least it should  
be). If so .. how do you weigh the pros and cons? I think multiple  
versions of a library is sometimes necessary but should be limited to  
where it is necessary.

Just my 2c as an apprentice... there is lots to learn for me ;-)

manfred