Re: How to package Nuxeo DM, a Java EE application, in Debian
On Feb 6, 2011, at 10:29 PM, Vincent Fourmond wrote:
> On Sun, Feb 6, 2011 at 10:15 PM, Niels Thykier <niels@thykier.net> wrote:
>>> Here are the main objection that have been raised (by some Ubuntu guys) about the way we are making our packages:
>>>
>>> 1. "It looks like they're bundling their own Tomcat. We haven't allowed this in the past. Ask that they use our version"
>>>
>>> 2. "They bundle a TON of JARs, many of which we provide. We may be able to work with this, but ideally you will want to use our jars where possible."
>>>
>>
>> I have to admit, these objections applies to Debian too. One of the
>> issues with embedding other libraries/applications into another
>> application is that it makes it harder to for us to fix security issues.
>> Particularly we have to trace with packages that embeds what library
>> and check whether each of those packages have that vulnerability. I hope
>> you can see that this will not work very well us if a lot of our package
>> do that.
>>
>> In fact, in my experience Debian tends to be more zealous about this
>> than Ubuntu.
>
> I want to offer definite confirmation on this. We don't use embedded
> JARs in a source package. We absolutely need every single package
> compiled from source, and that includes their dependencies. That's why
> packaging Java applications for Debian is so much of a pain ;-)...
> More on that there:
>
> http://vince-debian.blogspot.com/2009/03/java-packaging-nightmare.html
Well, if packaging Java applications in Debian is a nightmare, shouldn't be Debian's responsibility to make it less of a nightmare to its developers or contributors ?
> BTW, redistributing JAR files is not always a very good idea:
> imagine you have a JAR of a (L)GPLed library, and for a reason or
> another you lose the source (if only because you never had it as you
> got binary JARs from upstream). Then, you fail the terms of the GPL
> and cannot redistribute the JARs, since you would be at loss to
> provide the source.
That's not how we do things in the Java world, especially when we are using Maven.
Note that when using Maven, those jars come usually from http://repo1.maven.org/, so the responsibility for providing the source code for these jars actually falls upon the owner of maven.org, which happens to be jvanzyl@codehaus.org - not upon us.
(But same for the pre-maven days when people used to embed third-party jars in a lib/ directory in their sources - with even less tracability for those jars).
S.
--
Stefane Fermigier, Founder and Chairman, Nuxeo
Open Source, Java EE based, Enterprise Content Management (ECM)
http://www.nuxeo.com/ - +33 1 40 33 79 87 - http://twitter.com/sfermigier
Join the Nuxeo Group on LinkedIn: http://linkedin.com/groups?gid=43314
New Nuxeo release: http://nuxeo.com/dm54
"There's no such thing as can't. You always have a choice."
Reply to: