Make source acceptable in Debian?
Thomas Sødring
thomas.sodring at hioa.no
Wed Nov 9 10:59:11 CET 2016
On 11/09/2016 09:59 AM, Petter Reinholdtsen wrote:
> To get the source into Debian, the build need to succeed using
> dependencies in Debian. The idea is Debian should be self contained an
> development and security patching of Debian packages should be possible
> without any external dependencies. For this to work maven must be told
> to not download stuff from the Internet during build, and all the
> required dependencies must be available in Debian.
>
> Do you agree that this is a useful goal for nikita? It will affect how
> new dependencies are introduced into the code base.
>
> One can tell maven to build in "offline" mode by adding the --offline
> flag. I'm not sure it is enough to build the source without Internet
> access, nor how many of the dependencies are currently missing in
> Debian.
>
Hi Petter,
My current thinking is that I want to keep the project source up to date
with libraries that the project is based on. This means that the project
will always use the latest versions of hibernate, spring etc (where
there are no conflicts). But this *only* applies at compile time. My
opinion is that we will not push updated jars on a particular version
that has been published. You have to update to a updated version of the
core if you require updated jars. Some people may themselves decide to
update dependent jars, but as project maintainer, that is not what I
will do. Updating dependent jars will result in a new tested minor
version of the project (e.g. going from 1.2.1 to 1.2.2 due to a security
fix). I want a proper test regime that covers the core satisfactorily so
that problems are quickly detected.
My first choice of distribution model is docker, that will work its way
into the project soon. We lock a configuration and ensure the core
runs in that configuration. I have never made a .deb file, which I
believe is what we are talking about here. The .deb file will contain
the current version of the core and the core will not just update
itself, in the same way the docker image will not just update itself.
>From your point of view, the project will need to be able to handle
package updates in a debian fashion. I don't know how to do that so will
listen to input. There seems to be a maven plugin to create debian
packages and I'm happy to include that in the pom.xml. How to handle the
update process is definitely something that needs to be discussed!
So I guess the discussion is about compile time versus runtime. I know
that you can build maven in offline mode, where you manually download
and install the maven jars to the local repository. If the question is
should the project use this offline model at compile then, then I think
no. Certainly not when it is in the early stages of development. Should
we / could we do this as we approach an actual product, version 0.9? I
would be happy to discuss ways to increase the trustability of the core
as it matures and we can revisit this question later. Managing a project
like this is new to me so I am open for input on how to do this in a
best-practice fashion.
At runtime, the project will not download and/or update jar files. It
would be such a security risk to simply trust jars from the Internet at
runtime. I hope this answers your question satisfactorily.
- Tom
More information about the nikita-noark
mailing list