Re: Frustration with trying to build Debian packages from Maven-based sources

To: debian-java@lists.debian.org, manfred@mosabuam.com
Subject: Re: Frustration with trying to build Debian packages from Maven-based sources
From: Thomas Koch <thomas@koch.ro>
Date: Fri, 22 Mar 2013 09:22:53 +0100
Message-id: <[🔎] 201303220922.55025.thomas@koch.ro>
Reply-to: thomas@koch.ro
In-reply-to: <[🔎] 42e65c03160afadb77a45d78c8a83897.squirrel@www.mosabuam.com>
References: <[🔎] 87boaiav0d.fsf@msgid.hilluzination.de> <[🔎] 201303181924.59958.thomas@koch.ro> <[🔎] 42e65c03160afadb77a45d78c8a83897.squirrel@www.mosabuam.com>

Manfred Moser:
> Some clarifications..
dito, thx for your reply.

> > - Release source tarballs, not only binaries to maven central.
> 
> This has been a requirement for open source components in Central for
> years. You can find them with the -sources classifier in a jar file. E.g.
> looking at
> http://search.maven.org/#artifactdetails%7Ccom.google.inject%7Cguice%7C3.0%
> 7Cjar you can find the java doc and source code for guice in
> guice-3.0-javadoc.jar and guice-3.0-sources.jar

I was thinking about tar.{gz|bzip2|xz|...} source archives on the website of 
the project, but that's no so important. We could enhance our tools to also 
work on .jar files. Some people might have strong feelings about the zip 
format.

However I'm not sure whether a source.jar produced by maven can be used to 
build a Debian package. I assume that generated java code from tools like 
protobuf or jflex is included in the source.jar? We don't want generated 
source code but the "real" source files written by humans. Are those files, 
the protobuf and jflex definition files included in a source.jar?

> > - Sign your artifacts with gpg keys that are connected to the
> > web-of-trust.
> 
> Signing is a requirement for deployment to Central. See
> https://docs.sonatype.org/display/Repository/Sonatype+OSS+Maven+Repository+
> Usage+Guide

I've skimmed through this site and through "How To Generate PGP Signatures 
With Maven". The site does not mention the web-of-trust. I believe it would be 
of great service for the java world, if this very important site could mention 
the importance of getting a PGP/GPG key signed. An unsigned key does not 
provide any security. It only lures people in a false sense of security.

> If there is interest in the debian community to have a controlled
> repository server running that only provides approved jars you could run
> Sonatype Professsional. As an open source project you could get a free
> license. If there is any interest in that please contact me at
> manfred@sonatype.com

Thank you for the offer, but Debian does only use free software tools. And the 
tasks solved by your repository server and the Debian infrastructure are very 
different.

However I'm looking forward to a day, when we can provide a maven repository 
server, maybe yours, as an additional service. But that requires extra work.

Regards,

Thomas Koch, http://www.koch.ro

Reply to:

Follow-Ups:
- Re: Frustration with trying to build Debian packages from Maven-based sources
  - From: Emmanuel Bourg <ebourg@apache.org>

References:
- Frustration with trying to build Debian packages from Maven-based sources
  - From: Hilko Bengen <bengen@debian.org>
- Re: Frustration with trying to build Debian packages from Maven-based sources
  - From: Thomas Koch <thomas@koch.ro>
- Re: Frustration with trying to build Debian packages from Maven-based sources
  - From: "Manfred Moser" <manfred@mosabuam.com>

Prev by Date: Re: Commons Compress update
Next by Date: Re: Cannot build Commons Configuration
Previous by thread: Re: Frustration with trying to build Debian packages from Maven-based sources
Next by thread: Re: Frustration with trying to build Debian packages from Maven-based sources
Index(es):
- Date
- Thread