Re: packaging Go runtime for ANTLR4

To: debian-java@lists.debian.org
Subject: Re: packaging Go runtime for ANTLR4
From: Emmanuel Bourg <ebourg@apache.org>
Date: Thu, 29 Jul 2021 23:46:09 +0200
Message-id: <[🔎] 1151a036359c0b8106f2b56285b65f6d@apache.org>
In-reply-to: <[🔎] 20210728150803.qfw5los2idiy24ld@lark>
References: <[🔎] a89baab1-0b60-7b8c-734e-c12c0ae77646@posteo.de> <[🔎] a7af0dd65f1913b65b3dc8a641163bda@apache.org> <[🔎] 20210728150803.qfw5los2idiy24ld@lark>

Le 2021-07-28 17:08, tony mancill a écrit :

I don't disagree with Emmanuel's statements about the importance of
ANTLR and why it is helpful to maintain separation.  However, I don't
think introducing a separate source package each language ecosystem is
necessarily best for Debian.


It's not optimal for the number of source packages in the distribution,

but it's optimal wrt the human resources available to maintain thepackages,

and that's much more important than a few saved megabytes on the APT
repository mirrors. With separate source packages, I'm confident that
an issue with the Go/Python/C++ compiler and build tools won't hinder
the work on the Java library. Bootstrapping ANTLR4 wasn't a trivial task
(there was circular self dependencies) and I don't think I would have
been able to do it if I had to care about the other languages.

It causes additional work for the Security team when in the event therevulnerabilities.


AFAIK there was no CVE reported for ANTLR so far, so separate packages
do not induce an increased security maintenance in this case.

It potentially confuses users (and Debian developers) by creating adistinction that does not exist upstream.


I'm thinking about documenting in debian/README.source why the languages

are isolated in separate packages, this isn't the first time thisquestion

arises.

It also means that we will release with different versions of ANTLR
for different languages, which feels very "non-distro" to me. (Whathappensif the version of the ANTLR parser for language X is subtlyincompatible with
language Y, and a user runs a system on Debian that requires both
bindings?)

We already have several versions of ANTLR for Java packaged (2.7.7, 3.2,3.5.2

and 4.7.2). If a new version of ANTLR creates regressions, we just clone
the package to preserve the old version. That's the only sane solution,
because you really don't want to test, debug and fix grammars with an
incompatible version of ANTLR, that's the reponsability of the upstream
developers.

Emmanuel Bourg

Reply to:

References:
- packaging Go runtime for ANTLR4
  - From: Peymaneh Nejad <p.nejad@posteo.de>
- Re: packaging Go runtime for ANTLR4
  - From: Emmanuel Bourg <ebourg@apache.org>
- Re: packaging Go runtime for ANTLR4
  - From: tony mancill <tmancill@debian.org>

Prev by Date: openjdk-8_8u302-b08-1_source.changes ACCEPTED into unstable
Next by Date: Bug#991677: ITP: starjava-ecsv -- Parser for the metadata and data of an ECSV file
Previous by thread: Re: packaging Go runtime for ANTLR4
Next by thread: Processing of openjdk-8_8u302-b08-1_source.changes
Index(es):
- Date
- Thread