Re: Removing freeplane 1.7.x from Debian?
hello Sebastiaan, Tony, Thorsten, Emmanuel,
Sebastiaan Couwenberg <sebastic@xs4all.nl> writes:
> On 4/1/24 8:49 AM, Felix Natter wrote:
>> tony mancill <tmancill@debian.org> writes:
>>> In my opinion we should be remove the outdated freeplane package from
>>> Debian.
>> the only thing that speaks against this is the user comment in #1030150
>> [1]. Is it true that "as Debian (and many derivates) still ship with old
>> JDK"? [2]
>
> It might be feasible to patch freeplane to use Maven for the Debian package
> build. This was suggested in the Gradle packaging status thread some time
> ago [0].
>
> Osmosis 0.49 also required a more recent Gradle to build, and adding a
> patch to use Maven for the Debian package build was reasonably simple.
>
> [0] https://lists.debian.org/debian-java/2022/08/msg00010.html
thank you for the suggestion. In addition to a complex gradle build
system [1] using the latest features, there are also a number of new
dependencies. The biggest one (I think) is twemoji [2].
[1]
https://github.com/freeplane/freeplane/blob/1.11.x/freeplane/build.gradle etc.
[2] #878875 (Freeplane >= 1.9 can add any unicode emoji as an icon)
I *might* succeed packaging Freeplane with maven, but then it might not
be compatible at all due to some missing gradle build system quirks,
which I think is worse than using the upstream .deb.
@Thorsten: Yes, having a 100% free build in Debian is
nice, but I do not see this happening :( I agree with @Emmanuel that the
upstream .deb is the best solution we can get (and given the nature of
java, this is extremely easy to install for users and upstream to provide) :)
However, in #1030150 Alex says:
> as Debian (and many derivates) still ship with old JDK, there is in my eyes no reason to remove
> Freeplane because of that. Also it would be a shame if it maybe would vanish from it, in that way.
Is this really true for Debian [3]?
[3]
https://packages.debian.org/search?keywords=jre&searchon=names&suite=stable§ion=all
I think that if we do not remove freeplane from Debian, people are
"forced" to keep old unsupported JDK/JRE versions, which is a security
risk IMHO. Do you agree, or is an outdated Debian package even more
secure than an up-to-date upstream package as "Rpnpif" says in #1030150:
> I would agree with alex. Encouraging users to take packages out of
> Debian's repositories is a security risk for their OS. The current case
> with xz demonstrates this. My opinion does not mean that upstream should
> not offer an alternative and packages.
Cheers and Best Regards,
Felix
--
Felix Natter
Reply to: