Re: Frustration with trying to build Debian packages from Maven-based sources
Emmanuel Bourg:
> Hi Thomas,
>
> I'm a committer on the Apache Commons project, if you have an itch to
> scratch with one of the libraries (commons-lang, commons-collections,
> etc) I should be able to help quickly.
>
> Do you have specific examples of Apache projects affected by the issues
> you mentioned?
Hi Emmanuel,
thank you for offering your help. As I wrote, it would be very helpful, if
somebody (you) could start to lobby for sane artifact signing on Apache
Conferences and on mailing lists.
It doesn't make sense to sign release artifacts with GPG keys as long as those
keys don't have any signature that would link them to the web-of-trust.
So you could start to run key signing parties on Apache events or with your
team mates.
Second thing is with source tarballs or Git repos. For building a Debian
package we need a source tarball that does not contain any non-free or binary
artifacts. The typical ant project has a lib/ folder containing jars. We need
to repackage and get rid of the lib/ folder. So it's generally a good thing if
projects move to maven or use at least ivy.
Regards,
Thomas Koch, http://www.koch.ro
Reply to: