On Tue, 12 Feb 2019 12:34:56 +0100, Markus Koschany <apo@debian.org> wrote:
Hello,
Dalibor Topic (Oracle) and Robert Scholte (Apache Maven) contacted me
and were so kind to agree to make this discussion public, so that others
can chime in too. I would like to use the opportunity to answer the
initial question "what we are interested in seeing better supported from
build tools" and give some general feedback about integrating Java into
Debian.
First of all Ant and Maven are most likely the best supported build
systems at the moment. We carry only two patches for Maven, one because
we use a newer version of SLF4j [1] and the second one is to make Maven
builds reproducible. [2] It looks like [1] has been already merged
upstream but [2] has not been forwarded yet. It would be great of
course, if Maven builds would be reproducible out-of-the-box. In general
I would like to see reproducible builds everywhere.
Hi Markus,
first of all thanks for the insights, it is important for us to know how
Maven is used and in which way we can improve that way-of-work. Hervé is
already working hard on the reproducible builds specs with your team in
order to find out how we can improve our maven-plugins to get
reproducible artifacts.
Maven itself is not 100% reproducible. We've learned that some Linux
vendors rebuild Maven and the presentation confirmed that Debian is one
of those vendors. What we've seen in the past is that sometimes people
are having issues with Maven and after a while we discovered that they
were not using the official Apache Maven distribution[1]. For us it is
quite easy to say: sorry, not our official distribution, please contact
your Linux distributor.
In such case we have 3 losers: the user, the Apache Maven project and
the Linux Distributor. If only the official Maven distribution was used,
then we would have had 3 winners.
When you decide to rebuild Maven, you're also taking all related
responsibilities. I'm also wondering how you build Maven, since Maven is
being built with Maven. That should be a challenge to also rebuild all
plugins, etc.
And how do you test this and confirm that it works as the official
distribution?
Sure, *IF* Maven is 100% reproducible then you can rely on our
test-infra, but that's not the situation.
So here are my main questions:
- Are you making clear that you're not using the official Maven
distribution, e.g. by adjust the info from 'mvn --version'?