Bug#1086349: lintian: Report missing Java dependencies declared on a binary package but not on its source package
Package: lintian
Version: 2.119.0
Severity: wishlist
X-Debbugs-Cc: debian-java@lists.debian.org
Hi,
I'd like to suggest an enhancement to improve the stability of the Java
ecosystem in Debian: if a source package builds a binary package which
depends on a Java library that isn't declared in the dependencies of the
source package, lintian could report the missing dependency.
The rationale is that sometimes the code of the source package depends
directly on a specific library, but the library isn't declared in the
dependencies of the source package. The package manages to build because
the missing dependency is provided transitively through another dependency.
When this other dependency is updated and drops the dependency on the
required library, the package breaks.
For example:
1. src:foo builds libfoo-java
2. src:foo requires libbar-java but doesn't depend on it
3. src:foo depends on libbaz-java which depends on libbar-java
4. libfoo-java dependencies are resolved by the build helper (maven-debian-helper),
libfoo-java depends on libbar-java
5. libbaz-java is then updated and drops the dependency on libbar-java
6. src:foo no longer has libbar-java in its dependency graph and fails to build
The rule would be implemented such that any lib.*-java package found
in the dependencies of the binary package but not declared in the
dependencies of the source package should be reported.
Emmanuel Bourg
Reply to: