[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to package Nuxeo DM, a Java EE application, in Debian

Stefane Fermigier:
> On Feb 6, 2011, at 10:29 PM, Vincent Fourmond wrote:
> > JARs in a source package. We absolutely need every single package
> > compiled from source, and that includes their dependencies. That's why
> > packaging Java applications for Debian is so much of a pain ;-)...
> > More on that there:
> > 
> > http://vince-debian.blogspot.com/2009/03/java-packaging-nightmare.html
> 
> Well, if packaging Java applications in Debian is a nightmare, shouldn't be
> Debian's responsibility to make it less of a nightmare to its developers
> or contributors ?
As you write yourself below, "That's not how we do things in the Java world", 
there is a clear and fundamental difference between the Java world and all 
free software distributions (not only Debian).
Both sides have reasons, why they're doing things their way. Naturally I tend 
to agree more with the points of the free software distributions. However you 
can't just say that only the distributions should move (if they can at all 
without violating licenses).
We're actively and hard working to resolve these issues. However java is free 
only since 2007. Only then it started to make sense for free software 
distributions to invest effort to resolve issues.
I'm aware of talks given at last years FOSDEM, German linuxtag and last 
weekend's FOSDEM to raise awareness about the issues and discuss them. Inside 
Debian people are building tools to make java packaging less of a nightmare. 
However this all takes time.
I could now continue to express my anger about java developers which regard 
windows as the "default development system", java developers who don't give a 
shit about licenses or don't even know to tell the difference between GPL and 
the Apache License, java developers who don't care that maven pulls jars 
without any cryptographic protection, java developers who think it's good 
enough if their code runs only against one specific point version of a library 
and java developers who don't understand, why anybody should want to rebuild 
their binary jars from source, - but I really shouldn't. :-)

> > BTW, redistributing JAR files is not always a very good idea:
> > imagine you have a JAR of a (L)GPLed library, and for a reason or
> > another you lose the source (if only because you never had it as you
> > got binary JARs from upstream). Then, you fail the terms of the GPL
> > and cannot redistribute the JARs, since you would be at loss to
> > provide the source.
> 
> That's not how we do things in the Java world, especially when we are using
> Maven.
> 
> Note that when using Maven, those jars come usually from
> http://repo1.maven.org/, so the responsibility for providing the source
> code for these jars actually falls upon the owner of maven.org, which
> happens to be jvanzyl@codehaus.org - not upon us.
As far as I understand the GPL, this statement is not correct. If you 
distribute the jar, you also need to guarantee the availability of the source 
code for the next three years. If the source code would not be available 
anymore on some other site, you're f**cked.

> (But same for the pre-maven days when people used to embed third-party jars
> in a lib/ directory in their sources - with even less tracability for
> those jars).
> 
>   S.

Thomas Koch, http://www.koch.ro
Reply to: