[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: FOSDEM 19 Debian Java talk

Am 2019-02-12 um 20:09 schrieb Robert Scholte:
On Tue, 12 Feb 2019 12:34:56 +0100, Markus Koschany <apo@debian.org> wrote:


Dalibor Topic (Oracle) and Robert Scholte (Apache Maven) contacted me
and were so kind to agree to make this discussion public, so that others
can chime in too. I would like to use the opportunity to answer the
initial question "what we are interested in seeing better supported from
build tools" and give some general feedback about integrating Java into

First of all Ant and Maven are most likely the best supported build
systems at the moment. We carry only two patches for Maven, one because
we use a newer version of SLF4j [1] and the second one is to make Maven
builds reproducible. [2] It looks like [1] has been already merged
upstream but [2] has not been forwarded yet. It would be great of
course, if Maven builds would be reproducible out-of-the-box. In general
I would like to see reproducible builds everywhere.

Hi Markus,

first of all thanks for the insights, it is important for us to know how Maven is used and in which way we can improve that way-of-work. Hervé is already working hard on the reproducible builds specs with your team in order to find out how we can improve our maven-plugins to get reproducible artifacts.

Maven itself is not 100% reproducible. We've learned that some Linux vendors rebuild Maven and the presentation confirmed that Debian is one of those vendors. What we've seen in the past is that sometimes people are having issues with Maven and after a while we discovered that they were not using the official Apache Maven distribution[1]. For us it is quite easy to say: sorry, not our official distribution, please contact your Linux distributor. In such case we have 3 losers: the user, the Apache Maven project and the Linux Distributor. If only the official Maven distribution was used, then we would have had 3 winners.

When you decide to rebuild Maven, you're also taking all related responsibilities. I'm also wondering how you build Maven, since Maven is being built with Maven. That should be a challenge to also rebuild all plugins, etc. And how do you test this and confirm that it works as the official distribution? Sure, *IF* Maven is 100% reproducible then you can rely on our test-infra, but that's not the situation.

So here are my main questions:
- Are you making clear that you're not using the official Maven distribution, e.g. by adjust the info from 'mvn --version'?

I expressed my proposal to Hervé that we need a new property: maven.vendor. Our official distribution will carry the value: ASF. Everyone else who modifies the content must change the value in the build.properties. Thus, we will quickly know that this distro has been modified by someone else.


Reply to: