Re: Frustration with trying to build Debian packages from Maven-based sources

To: thomas@koch.ro
Cc: debian-java@lists.debian.org, "Emmanuel Bourg" <ebourg@apache.org>
Subject: Re: Frustration with trying to build Debian packages from Maven-based sources
From: "Manfred Moser" <manfred@mosabuam.com>
Date: Mon, 18 Mar 2013 17:44:02 -0400
Message-id: <[🔎] 42e65c03160afadb77a45d78c8a83897.squirrel@www.mosabuam.com>
Reply-to: manfred@mosabuam.com
In-reply-to: <[🔎] 201303181924.59958.thomas@koch.ro>
References: <[🔎] 87boaiav0d.fsf@msgid.hilluzination.de> <[🔎] 51462EBD.2010703@apache.org> <[🔎] 201303181924.59958.thomas@koch.ro>

Hi all,

Some clarifications..

> Hi Emmanuel,
>
> I'm happy to find someone from the java side, especially from apache here
> on a
> debian list. Perhaps you could help us as an intermediator and raise
> awareness
> for the pain we have when dealing with java in general and often the ASF
> in
> special.
>
> Some points that come to my mind:
>
> - Dependencies with fixed versions instead of version ranges: We aim to
> have one or a few versions of a software in the archive.

This is going to be difficult to get projects to do that..

> - Use version numbers in a sane way: http://semver.org

This is best practice in the Maven world as well. But not enforced or so
and therefore often not really followed..

> - Correct license information.

Difficult. In fact many components in the Central repo declare one version
but source code scans have revealed different licenses in different files.
This analysis is done on a regular base by Sonatype (who run the Central
Repository) and exposed to Nexus users (which is a repository manager
software used to host a repository yourself under your own control) .

> - Release source tarballs, not only binaries to maven central.

This has been a requirement for open source components in Central for
years. You can find them with the -sources classifier in a jar file. E.g.
looking at
http://search.maven.org/#artifactdetails%7Ccom.google.inject%7Cguice%7C3.0%7Cjar
you can find the java doc and source code for guice in
guice-3.0-javadoc.jar and guice-3.0-sources.jar

> - Sign your artifacts with gpg keys that are connected to the
> web-of-trust.

Signing is a requirement for deployment to Central. See
https://docs.sonatype.org/display/Repository/Sonatype+OSS+Maven+Repository+Usage+Guide

If there is interest in the debian community to have a controlled
repository server running that only provides approved jars you could run
Sonatype Professsional. As an open source project you could get a free
license. If there is any interest in that please contact me at
manfred@sonatype.com

Manfred
http://www.simpligility.com

Reply to:

Follow-Ups:
- Re: Frustration with trying to build Debian packages from Maven-based sources
  - From: Emmanuel Bourg <ebourg@apache.org>
- Re: Frustration with trying to build Debian packages from Maven-based sources
  - From: Thomas Koch <thomas@koch.ro>

References:
- Frustration with trying to build Debian packages from Maven-based sources
  - From: Hilko Bengen <bengen@debian.org>
- Re: Frustration with trying to build Debian packages from Maven-based sources
  - From: Emmanuel Bourg <ebourg@apache.org>
- Re: Frustration with trying to build Debian packages from Maven-based sources
  - From: Thomas Koch <thomas@koch.ro>

Prev by Date: Re: Frustration with trying to build Debian packages from Maven-based sources
Next by Date: Re: Frustration with trying to build Debian packages from Maven-based sources
Previous by thread: Re: Frustration with trying to build Debian packages from Maven-based sources
Next by thread: Re: Frustration with trying to build Debian packages from Maven-based sources
Index(es):
- Date
- Thread