[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: List of consultants focusing on Debian packaging for Java?

Am Sonntag, den 06.12.2020, 21:46 +0100 schrieb Antonin Delpeuch (lists):
> How important is it that all dependencies are packaged independently?
> Butterfly is a framework that has not been maintained for years, and we
> are not aware of any other users beyond OpenRefine. We would love to
> migrate to something else. We are the de facto maintainers of butterfly
> since we use our own fork anyway, so I would argue that it can be
> considered an internal library that is not worth exposing to the outside
> world. This is true for other dependencies in the
> org.openrefine.dependencies namespace. But of course many other
> dependencies listed below are actively maintained and used in other
> projects.

It is quite important in Debian to be able to build dependencies independently
from each other, especially if different upstream projects maintain them. One
or more binary packages are built from one source package. We usually package
only one version of a certain software project and then all other packages in
Debian, which depend on it, must function with it. For Java developers this is
a strange concept because Java is version-centric. For them it is even possible
to depend on multiple versions of the same library in one project.

The reason why Debian is insisting on building independent packages and
packaging only a single version is to avoid code duplication and security
problems across the distribution. If there is an issue it can be fixed in a
single source package and all other dependent packages are protected. It also
makes bootstrapping much easier and in the end it takes less time to maintain
those packages in stable releases. However the initial work can look quite
intimidating. Making different projects work with just a single library version
sometimes requires patches to the source code, something upstream would
hesitate or even refuse to apply. 

Of course there are exceptions. If Butterfly is basically an internal library
of OpenRefine then we could try to bundle them together in one source package.
Ideally the Butterfly source code is included in src:openrefine and Maven would
do the rest. Otherwise a clear separation between Butterfly and OpenRefine
would work as well, it is just one extra source package.

It is also noteworthy that network access is disabled when we build Debian
packages. That means a project can't just simply download dependencies from the
internet. All those dependencies must be available as Debian packages already.
This ensures that everything in Debian can be built from source, even offline. 

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: