Re: How to package Nuxeo DM, a Java EE application, in Debian
Stefane Fermigier:
> On Feb 6, 2011, at 10:29 PM, Vincent Fourmond wrote:
> > JARs in a source package. We absolutely need every single package
> > compiled from source, and that includes their dependencies. That's why
> > packaging Java applications for Debian is so much of a pain ;-)...
> > More on that there:
> >
> > http://vince-debian.blogspot.com/2009/03/java-packaging-nightmare.html
>
> Well, if packaging Java applications in Debian is a nightmare, shouldn't be
> Debian's responsibility to make it less of a nightmare to its developers
> or contributors ?
As you write yourself below, "That's not how we do things in the Java world",
there is a clear and fundamental difference between the Java world and all
free software distributions (not only Debian).
Both sides have reasons, why they're doing things their way. Naturally I tend
to agree more with the points of the free software distributions. However you
can't just say that only the distributions should move (if they can at all
without violating licenses).
We're actively and hard working to resolve these issues. However java is free
only since 2007. Only then it started to make sense for free software
distributions to invest effort to resolve issues.
I'm aware of talks given at last years FOSDEM, German linuxtag and last
weekend's FOSDEM to raise awareness about the issues and discuss them. Inside
Debian people are building tools to make java packaging less of a nightmare.
However this all takes time.
I could now continue to express my anger about java developers which regard
windows as the "default development system", java developers who don't give a
shit about licenses or don't even know to tell the difference between GPL and
the Apache License, java developers who don't care that maven pulls jars
without any cryptographic protection, java developers who think it's good
enough if their code runs only against one specific point version of a library
and java developers who don't understand, why anybody should want to rebuild
their binary jars from source, - but I really shouldn't. :-)
> > BTW, redistributing JAR files is not always a very good idea:
> > imagine you have a JAR of a (L)GPLed library, and for a reason or
> > another you lose the source (if only because you never had it as you
> > got binary JARs from upstream). Then, you fail the terms of the GPL
> > and cannot redistribute the JARs, since you would be at loss to
> > provide the source.
>
> That's not how we do things in the Java world, especially when we are using
> Maven.
>
> Note that when using Maven, those jars come usually from
> http://repo1.maven.org/, so the responsibility for providing the source
> code for these jars actually falls upon the owner of maven.org, which
> happens to be jvanzyl@codehaus.org - not upon us.
As far as I understand the GPL, this statement is not correct. If you
distribute the jar, you also need to guarantee the availability of the source
code for the next three years. If the source code would not be available
anymore on some other site, you're f**cked.
> (But same for the pre-maven days when people used to embed third-party jars
> in a lib/ directory in their sources - with even less tracability for
> those jars).
>
> S.
Thomas Koch, http://www.koch.ro
Reply to: