Re: How to package Nuxeo DM, a Java EE application, in Debian
On Sun, Feb 6, 2011 at 10:15 PM, Niels Thykier <niels@thykier.net> wrote:
>> Here are the main objection that have been raised (by some Ubuntu guys) about the way we are making our packages:
>>
>> 1. "It looks like they're bundling their own Tomcat. We haven't allowed this in the past. Ask that they use our version"
>>
>> 2. "They bundle a TON of JARs, many of which we provide. We may be able to work with this, but ideally you will want to use our jars where possible."
>>
>
> I have to admit, these objections applies to Debian too. One of the
> issues with embedding other libraries/applications into another
> application is that it makes it harder to for us to fix security issues.
> Particularly we have to trace with packages that embeds what library
> and check whether each of those packages have that vulnerability. I hope
> you can see that this will not work very well us if a lot of our package
> do that.
>
> In fact, in my experience Debian tends to be more zealous about this
> than Ubuntu.
I want to offer definite confirmation on this. We don't use embedded
JARs in a source package. We absolutely need every single package
compiled from source, and that includes their dependencies. That's why
packaging Java applications for Debian is so much of a pain ;-)...
More on that there:
http://vince-debian.blogspot.com/2009/03/java-packaging-nightmare.html
BTW, redistributing JAR files is not always a very good idea:
imagine you have a JAR of a (L)GPLed library, and for a reason or
another you lose the source (if only because you never had it as you
got binary JARs from upstream). Then, you fail the terms of the GPL
and cannot redistribute the JARs, since you would be at loss to
provide the source.
Cheers,
Vincent
Reply to: