[Mageia-dev] Java-Policy first draft published

nicolas vigier boklm at mars-attacks.org
Fri Jan 21 02:14:40 CET 2011 

On Wed, 12 Jan 2011, Frank Griffin wrote:

> Farfouille wrote:
> > Hi
> >
> > I have published a first draft of Java application package policy. http://mageia.org/wiki/doku.php?id=java_applications_policy
> >
> > Corrections and comments are welcome.
> >   
> 
> The bit about pre-packaged JARs may cause trouble.  In theory, it's
> great, but many applications depend upon certain versions of their
> utility JARs, and can't all run with the latest versions.  Any such app

Then those applications should be fixed. That's the same with C libraries
or other languages. When a program is not working with a newer version
of its libraries, it is fixed, instead of keeping both the new and old
libraries installed.

Unless we want to keep 10 versions of each library, each with their owns
bugs and security issues.

Only when it is really necessary, multiple versions should be kept.

> 
> Maven POMs allow the packager to specify required other objects
> ("artifacts") not only for building the package but for execution as
> well.  There are central Maven repositories which contain versioned
> artifacts for commonly-used projects, e.g. JUnit, and many companies
> have site-wide repositories of their own.  Finally, every user of Maven
> has a personal repository located in $HOME/.m2, which is why the policy
> has code for creating this directory.
> 
> Repositories are seached for needed artifacts from the most local (the
> user's personal repository) to the most remote (the central Maven
> repositories) as directed by a settings.xml file in the user's .m2
> directory or <repositories> tags in the individual pom.xml files.  The
> general intent is to obtain artifacts from the "closest" repository. 
> Company repositories are not just the central location for
> company-specific artifacts, but also a local cache for central Maven
> repository artifacts.
> 
> >From the policy, it looks like the personal repository for the ID under
> which RPM builds the package is wiped clean for every package, and thus
> every needed artifact will be downloaded from the remote repositories
> for every build.  If that's the case, it's an awful waste of bandwidth,
> since many of these artifacts are used for every Maven project.

Nothing should be downloaded from remote maven repositories during RPM
builds. All dependencies should be installed from rpm packages only.

More information about the Mageia-dev mailing list