Am Sonntag, den 06.12.2020, 21:46 +0100 schrieb Antonin Delpeuch (lists): [...] > How important is it that all dependencies are packaged independently? > Butterfly is a framework that has not been maintained for years, and we > are not aware of any other users beyond OpenRefine. We would love to > migrate to something else. We are the de facto maintainers of butterfly > since we use our own fork anyway, so I would argue that it can be > considered an internal library that is not worth exposing to the outside > world. This is true for other dependencies in the > org.openrefine.dependencies namespace. But of course many other > dependencies listed below are actively maintained and used in other > projects. It is quite important in Debian to be able to build dependencies independently from each other, especially if different upstream projects maintain them. One or more binary packages are built from one source package. We usually package only one version of a certain software project and then all other packages in Debian, which depend on it, must function with it. For Java developers this is a strange concept because Java is version-centric. For them it is even possible to depend on multiple versions of the same library in one project. The reason why Debian is insisting on building independent packages and packaging only a single version is to avoid code duplication and security problems across the distribution. If there is an issue it can be fixed in a single source package and all other dependent packages are protected. It also makes bootstrapping much easier and in the end it takes less time to maintain those packages in stable releases. However the initial work can look quite intimidating. Making different projects work with just a single library version sometimes requires patches to the source code, something upstream would hesitate or even refuse to apply. Of course there are exceptions. If Butterfly is basically an internal library of OpenRefine then we could try to bundle them together in one source package. Ideally the Butterfly source code is included in src:openrefine and Maven would do the rest. Otherwise a clear separation between Butterfly and OpenRefine would work as well, it is just one extra source package. It is also noteworthy that network access is disabled when we build Debian packages. That means a project can't just simply download dependencies from the internet. All those dependencies must be available as Debian packages already. This ensures that everything in Debian can be built from source, even offline.
Attachment:
signature.asc
Description: This is a digitally signed message part