/usr/share/java as maven repository?

Wed Dec 19 10:01:11 UTC 2007

2007/12/19, Paul Cager <paul-debian at home.paulcager.org>:
> Dalibor Topic wrote:
> > I assume it's going to be a necessity for us for reproducible offline
> > maven builds to inform maven about our own jars.
> Yes, I'd agree with that. When using maven as part of a Debian package
> build, you'd need to use install:install-file or similar to create a
> (presumably temporary) maven repo from the jars in /usr/share/java. Or,
> more efficiently, we could just set up symlinks.

Or we could write our own plugin to tell maven were to find the
package and maybe fake some version numbers like: "if you're looking
for log4j 1.2.12, then, ask dpkg if liblog4j1.2-java is installed and
use /usr/share/java/log4j1.2.jar"

> What I'm not so sure about is exporting the jars in /usr/share/java as a
> Maven repo to *end users*. I can see it would be a useful way to reduce
> network traffic (especially on multi-user systems), but it seems like a
> lot of additional complexity and work for a relatively small gain. The
> system admin could always set up a Maven-Proxy
> (http://maven-proxy.codehaus.org/). Just my opinion, of course, but I
> think there's a lot of things that should be higher priority.

I was not thinking about the network traffic but about the trust! The
local debian repo is a repo with software built by Debian Developers
who should be familiar with Debian Free Software Guidelines! With the
guarantee the jars are built from sources with free software (or they
go to contrib or non-free). This is my main concern!

I like Maven and as a trainer, I like projects like appfuse or else
with "artifacts", it's really cool. But what I don't like is all the
software downloaded but I can't tell who built it, what are the
different licenses (where are the sources), etc...

If the DFSG does not matter, then, why do we package java software in
Debian? There is JPackage, Maven. We could provide packages with just
a pom.xml and a dependency to jboss ;-)

I did answer the first mail (and it took me some time) because it's a
question I'd like to solve (well, I'd like someone to solve it for
Debian). Maven is a very good peace of software, it's really excellent
to deploy application "everywhere" but in another way (in the Debian
way), you can't have the same guarantee (about how free is the
software, about how it's been compiled). Now, with the reaction and
when thinking deeper about the problem, I think we have to decide why
do we want to use maven in Debian?

1° To build software in Debian: we need to tell maven how and where to
find jars (and aliases: I think of other version numbers)

2° For our users: here, there are three ways of doing it:
  a) open a hole to possibly non-free software on a local maven repo;
  b) install the debian java packages in a local repo (with or without
symlinks);
  c) no site-wide repo, then every user install libs in there home.

3° If we choose 2°c, we can also create a Debian Maven repository. We
simply organize our libs in a way maven can understand, but those jars
would be uploaded by DD's and extracted from the Debian packages.

I think 1° is a short term must have as I think more and more projects
will be built with maven and we could add maven plugin to do debian
specific tasks so everybody could win here.

About 2°, we have to decide what we wanna do.

-- 
Arnaud Vandyck