FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Java

 
 
LinkBack Thread Tools
 
Old 02-09-2011, 10:25 AM
Stefane Fermigier
 
Default How to package Nuxeo DM, a Java EE application, in Debian

On Feb 9, 2011, at 10:45 AM, Giovanni Mascellani wrote:

> Hi.
>
> On 09/02/2011 10:06, Stefane Fermigier wrote:
>>> I'd say that this one of the main added value of a distribution:
>>> many different pieces of software harmonized together, under a
>>> consistent policy so that people that want to change something in
>>> the source code and recompile just have to do apt-get source, hack
>>> the code and dpkg-buildpackage.
>>>
>>> Of course I'm not pretending that this is going to satisfy all the
>>> kind of users: it's just what Debian users are expecting, so it's
>>> what Debian is offering to its users.
>>
>> Maybe I'm an exception, but I've been a Debian user since 1997 or
>> 1998 (not exclusively, but since that time I have always had from 1
>> to 30 Debian or Ubuntu servers to manage), and my home computer is an
>> Ubuntu.
>>
>> I have NEVER used "apt-get source, hack[ed] the code and
>> dpkg-buildpackage." Not a single time.
>>
>> Also, in the context of enterprise applications, you just don't want
>> to "apt-get source, hack the code and dpkg-buildpackage." You want to
>> run it through a massive amount of QA before putting it into
>> production.
>>
>> Cf. http://qa.nuxeo.org/ for an example of what we do at Nuxeo.
>
> Sorry, I may have missed some context: of course upstream developers
> don't use Debian package's sources, they work directly on the
> development copy they have.

I was not thinking about this case, but with my sysadmin hat.

Of course a developer won't use dpkg-buildpackage as his/her build tool !

> My "apt-get source, hack and dpkg-bp" was
> seen from a derivative developer or sysadmin that has to modify the way
> a software works on its own system or distribution.

As a sysadmin, I've never found the need to repackage a package.

If I need to configure a system, I will edit some files in /etc.

If I need to be more rigorous about it, I will but /etc under git control.

If I need to administer many servers this way, I will use tentakel or chef or puppet.

>
>>> Probably other distributions make things differently because they
>>> are targeted to users with different needs. Other users could
>>> prefer the way maven works, so they will use maven to install their
>>> package.
>>
>> Maven is a build tool, not an installation tool.
>
> Just substitute the word "maven" with any installation tool you
> recommend for Nuxeo or whatever software we're talking about (including,
> for example, an APT repository different from the official Debian
> repositories).

For Debian / Ubuntu users, we actually recommend using our APT repo, indeed.

> The key here is that there are many software installation tool and many
> different repositories for each one of these different tools. The
> software that goes in Debian's main archive is allowed to be there only
> if it complied with Debian policy. There are many good reasons to think
> that the Debian policy is a good thing and probably you have others to
> think that other ways would be better: however, people using Debian
> repositories expect that repositories to be compliant with the Debian
> policy, and probably this is a reason because of they choose them. If
> you think that some pieces of software would benefit from being
> redistributed under a different policy, then build a different
> repository. Pretending that it should enter Debian violation its policy
> doesn't benefit anyone (and, as a matter of facts, is not possible,
> because it would be rejected).

I didn't "pretend" anything like this.

I'm insisting on the fact that:

1. there is room for interpretation in the so called "policies", for instance, that there "should only be one instance of tomcat" in the distribution.

2. sometimes the policies need to be changed in the face of reality. Otherwise, we end up like these poor monkeys:

http://freekvermeulen.blogspot.com/2008/08/monkey-story-experiment-involved-5.html

>
>>> About the difficulty of having a Java application in Debian, I
>>> cannot agree more with Tony: packaging things in Debian is
>>> difficult, because it requires some added value that the packager
>>> must put into the package, and added value requires time.
>>
>> This is not true, if the only thing needed was "some extra added
>> value" there would be
>
> What is not true? The fact that packaging things in Debian is difficult
> or the fact that it's so because it requires some added value?

No, the fact that it *only* requires "some" added value.

You are requiring *much more*. You are requiring upstream developers to *completely change* their development process, dropping maven to use some non-existing tool, renouncing their QA process, etc.

> Of course, we could disagree on whether modifying a package to conform
> with Debian policy is an added value or not:

Modifying a package in a way that introduces significant variance (I'm not talking about tweaking the startup scripts to conform to the FHS, or adding an administrative panel, etc. I'm talking about changing a jar) *reduces* the value of a package, because it's not anymore the certified version (the one that has been through the extensive QA process).

> If you agree to have your software in Debian under these conditions,
> then we're happy to host it, of course. If you think that it's going to
> take too much time, I can't blame you.

It's not about "too much time". It's about asking upstream developers to *completely change* the way they are working, *completely reinventing* a whole family of build tools and processes that don't exist yet.

>> From my experience with working with both the Apache Foundation (I'm
>> with the incubating Apache Chemistry and Stanbol projects), and the
>> Eclipse Foundation (Eclipse Apogee, and a new project that willbe
>> announced today), I can guarantee you that their processes are as
>> annoying (or if you prefer, *rigourous* that Debian's (wrt
>> licenses, copyright notices, etc.)
>
> Not about embedded library copies, for example (as far as I can tell).
> I'm not saying that Apache or Eclipse are working bad, but they're are
> working differently in some ways. But Debian is made the Debian's way,
> not Apache's way.

Problem is, Apache and Eclipse and JBoss are the biggest open source Java projects collections, and by ignoring them you are definitively missing an opportunity of providing value to your users.

>
>>> And, unfortunately, one of the core philosophies in Debian is that
>>> we're not trading quality for time or package number:

You're not just missing on "numbers", but on a *whole category* of valuable software (enterprise open source java software), for which not a single example (I have already asked on this and the ubuntu devel list if there was one) exists.

So this in not a quantitative trade-off, but really a qualitative one.

As a Debian / Ubuntu user, this time, I'm really pissed off that such packages are not available, and that I, or other members of my team, have to install and configure these packages by hand instead of using apt-get.

I'm also fed up with private apt repositories that only work with an obsolete version of Debian (or Ubuntu).

>>> if the
>>> available resources (that is, people that contribute to Debian) are
>>> scarce, then what we're giving up is quantity, not quality. Usually
>>> we're also able to offer quantity, but it's not our main focus.
>>>
>>> BTW, in my little experience, I've already met at least two
>>> different pieces of software written in Java that were non free or
>>> even non redistributable because of licensing issues rising from
>>> putting JARs or copy and pasting code without checking if they were
>>> allowed to do so. I'm proud to say that, thanks to my work, now
>>> these pieces of software are really free in Debian: I'm sure this
>>> is not the only case, but it shows why all the thorough work that a
>>> Debian package needs it's useful.
>>
>> Were these projects from "reputable" organization such as Apache or
>> Eclipse, or open source vendors concerned with the quality of their
>> products and minimizing the legal risk attached to their products ?
>
> No, of course. But what does this change? From the point of view of me
> and many users, geogebra is much more important than JBoss, even it's
> not written by some big foundation.

What I was trying to say is that projects created by or through foundations or responsible companies tend to obey a certain legal and quality process, not that there are more important that other projects.

BTW, here's what geogebra's download page (http://www.geogebra.org/cms/en/download) says: "You are free to copy, distribute and transmit GeoGebra for non-commercial purposes".

Isn't this a flagrant violation of the DFSG (Item 6, "No Discrimination Against Fields of Endeavor") ?

S.

--
Stefane Fermigier, Founder and Chairman, Nuxeo
Open Source, Java EE based, Enterprise Content Management (ECM)
http://www.nuxeo.com/ - +33 1 40 33 79 87 - http://twitter.com/sfermigier
Join the Nuxeo Group on LinkedIn: http://linkedin.com/groups?gid=43314
New Nuxeo release: http://nuxeo.com/dm54
"There's no such thing as can't. You always have a choice."


--
To UNSUBSCRIBE, email to debian-java-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: D7DECF6D-14A0-40C1-B469-E67783F85DA7@nuxeo.com">http://lists.debian.org/D7DECF6D-14A0-40C1-B469-E67783F85DA7@nuxeo.com
 
Old 02-09-2011, 12:50 PM
Scott Howard
 
Default How to package Nuxeo DM, a Java EE application, in Debian

This is an interesting problem, there are great open source Java
projects out there that, but no fault of their own, are using
libraries from a repo that Debian can't access (no copyright notice
and no license makes it a non-starter). Add the library versioning/API
breakage potential on top of that, and it's even harder. If only
maven's repos had their source code and license available, I can
imagine some script to scrape their repo and make policy compliant
.debs from them...

I think Stefane picked a great example of how Debian packages are made
policy compliant (and the work needed for every java library)

On Wed, Feb 9, 2011 at 6:25 AM, Stefane Fermigier <sf@nuxeo.com> wrote:
> What I was trying to say is that projects created by or through foundations or responsible companies tend to obey a certain legal and quality process, not that there are more important that other projects.

I have no doubt that those foundations follow their legal
responsibilities, It's just that when Debian hosts the code, it's now
Debian's legal responsibility to follow whatever license whomever
holds the copyright has assigned to us.

>
> BTW, here's what geogebra's download page (http://www.geogebra.org/cms/en/download) says: "You are free to copy, distribute and transmit GeoGebra for non-commercial purposes".
>
> Isn't this a flagrant violation of the DFSG (Item 6, "No Discrimination Against Fields of Endeavor") ?

That is a perfect example of how Debian does a "value add" to their
packages. The full license is at:
http://www.geogebra.org/download/license.txt
and the debian copyright is:
http://packages.debian.org/changelogs/pool/main/g/geogebra/geogebra_3.2.46.0+dfsg1-1/geogebra.copyright

Only the installer is CC-BY-SA-NC (which is not DFSG free), so the
debian maintainer removed the -NC code so the remaining files are all
GPL-2+ and CC-BY-SA. You can see the +dfsg in the package version,
indicating that someone did work to make it dfsg. That's why we'd need
the source code and license for each jar, but situations like that are
very common.

Cheers,
Scott


--
To UNSUBSCRIBE, email to debian-java-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTimv1-o_PqjOHNSQynnWwP_Rbet51B0xqoA_TUwm@mail.gmail.com" >http://lists.debian.org/AANLkTimv1-o_PqjOHNSQynnWwP_Rbet51B0xqoA_TUwm@mail.gmail.com
 
Old 02-09-2011, 01:24 PM
Vincent Fourmond
 
Default How to package Nuxeo DM, a Java EE application, in Debian

Hello,

On Wed, Feb 9, 2011 at 12:25 PM, Stefane Fermigier <sf@nuxeo.com> wrote:
>> What is not true? The fact that packaging things in Debian is difficult
>> or the fact that it's so because it requires some added value?
>
> No, the fact that it *only* requires "some" added value.
>
> You are requiring *much more*. You are requiring upstream developers to *completely change* their development process, dropping maven to use some non-existing tool, renouncing their QA process, etc.

This is not what we *require*, as you say.

We have policies to accept packages into Debian. These policies
arise from the Debian Social Contract. If you want to make
modifications to the Social contract, the correct mailing list is
debian-project. Be warned however that this will most probably lead to
nothing

I don't see what you're trying to get here. If you want a package
inside the Debian archives, you have to play by Debian rules. The
alternative of providing you own apt repository, which you already do,
is fairly acceptable IMHO. I for one use private repositories for some
free software I wrote, since one of the libraries it depends on is
freely available, and "open source", but its license and copyright
states are at best unclear, and it is rather huge.

The FTPmaster will *never* accept sourceless JARs. Moreover, all
JARs must be built from the corresponding sources using a well-defined
procedure, so that the debian security team can do its job.

With that in mind, i wish you a very pleasant day.

Vincent


--
To UNSUBSCRIBE, email to debian-java-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTi=_bvRY1FCRH8XdpkVki9-C6eAfVeLRWoJQx3gQ@mail.gmail.com">http://lists.debian.org/AANLkTi=_bvRY1FCRH8XdpkVki9-C6eAfVeLRWoJQx3gQ@mail.gmail.com
 
Old 02-09-2011, 01:26 PM
Giovanni Mascellani
 
Default How to package Nuxeo DM, a Java EE application, in Debian

On 09/02/2011 14:50, Scott Howard wrote:
>> BTW, here's what geogebra's download page
>> (http://www.geogebra.org/cms/en/download) says: "You are free to
>> copy, distribute and transmit GeoGebra for non-commercial
>> purposes".
>>
>> Isn't this a flagrant violation of the DFSG (Item 6, "No
>> Discrimination Against Fields of Endeavor") ?
>
> That is a perfect example of how Debian does a "value add" to their
> packages. The full license is at:
> http://www.geogebra.org/download/license.txt and the debian copyright
> is:
> http://packages.debian.org/changelogs/pool/main/g/geogebra/geogebra_3.2.46.0+dfsg1-1/geogebra.copyright
>
> Only the installer is CC-BY-SA-NC (which is not DFSG free), so the
> debian maintainer removed the -NC code so the remaining files are
> all GPL-2+ and CC-BY-SA. You can see the +dfsg in the package
> version, indicating that someone did work to make it dfsg. That's why
> we'd need the source code and license for each jar, but situations
> like that are very common.

There is more: in the source codebase there are also some .java files
with a completely non free license. I had to find some replacement code
for them and patch the code in order to fix that.

http://patch-tracker.debian.org/patch/series/view/geogebra/3.2.44.0+dfsg1-2/patch/flanagan_nonfree.diff

I tried to convince upstream that the jarball on their site is not
usable, because it contains code under two non compatible licenses (GPL
and a non free license). They didn't care, so now someone using their
WebStart application could be violating a copyright law. Instead, Debian
version is completely free (unless I've missed something; but I looked
at the code more and more times, so I really hope not).

Giovanni.
--
Giovanni Mascellani <mascellani@poisson.phc.unipi.it>
Pisa, Italy

Web: http://poisson.phc.unipi.it/~mascellani
Jabber: g.mascellani@jabber.org / giovanni@elabor.homelinux.org
 
Old 02-09-2011, 01:40 PM
Stefane Fermigier
 
Default How to package Nuxeo DM, a Java EE application, in Debian

On Feb 9, 2011, at 3:24 PM, Vincent Fourmond wrote:

> Hello,
>
> On Wed, Feb 9, 2011 at 12:25 PM, Stefane Fermigier <sf@nuxeo.com> wrote:
>>> What is not true? The fact that packaging things in Debian is difficult
>>> or the fact that it's so because it requires some added value?
>>
>> No, the fact that it *only* requires "some" added value.
>>
>> You are requiring *much more*. You are requiring upstream developers to *completely change* their development process, dropping maven to use some non-existing tool, renouncing their QA process, etc.
>
> This is not what we *require*, as you say.

This is what *your policy* requires (as you claim) to get the packages into Debian. What do you think I'm discussing here?

And you don't seem very keen on changing or even discussing those policies, even in the face of serious drawbacks.

> We have policies to accept packages into Debian. These policies
> arise from the Debian Social Contract. If you want to make
> modifications to the Social contract, the correct mailing list is
> debian-project. Be warned however that this will most probably lead to
> nothing
>
> I don't see what you're trying to get here.

I was trying (based on previous discussions with some Debian / Ubuntu people that this might be possible) to find a concrete solution with you guys, but it seems it won't happen.

I'm also trying to pass a message: you obviously care about packaging Java applications, so aren't you frustrated that this is so hard (I mean, impossible) to do for any significant and useful business application (those that professional Debian users should really care for) with the current rules ?

I, personally, am, as a Debian *user*.

> I for one use private repositories for some
> free software I wrote, since one of the libraries it depends on is
> freely available, and "open source", but its license and copyright
> states are at best unclear, and it is rather huge.

Not sure how you can claim it's "open source" if the license is unclear...

S.

--
Stefane Fermigier, Founder and Chairman, Nuxeo
Open Source, Java EE based, Enterprise Content Management (ECM)
http://www.nuxeo.com/ - +33 1 40 33 79 87 - http://twitter.com/sfermigier
Join the Nuxeo Group on LinkedIn: http://linkedin.com/groups?gid=43314
New Nuxeo release: http://nuxeo.com/dm54
"There's no such thing as can't. You always have a choice."


--
To UNSUBSCRIBE, email to debian-java-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: EDD40296-2F5F-4ED8-9DC9-843C128DEDC6@nuxeo.com">http://lists.debian.org/EDD40296-2F5F-4ED8-9DC9-843C128DEDC6@nuxeo.com
 
Old 02-09-2011, 01:49 PM
Torsten Werner
 
Default How to package Nuxeo DM, a Java EE application, in Debian

Hi,

Am 09.02.2011 15:24, schrieb Vincent Fourmond:
> The FTPmaster will *never* accept sourceless JARs.

we don't accept them into Debian's main component. However they are
acceptable for the non-free component as long as it is allowed to
redistribute them in binary form.

Cheers,
Torsten


--
To UNSUBSCRIBE, email to debian-java-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D52A993.6070501@debian.org">http://lists.debian.org/4D52A993.6070501@debian.org
 
Old 02-09-2011, 01:51 PM
Stefane Fermigier
 
Default How to package Nuxeo DM, a Java EE application, in Debian

Thanks, Torsten, this is great news !

Can we start this discussion over with this option in mind ?

S.

On Feb 9, 2011, at 3:49 PM, Torsten Werner wrote:

> Hi,
>
> Am 09.02.2011 15:24, schrieb Vincent Fourmond:
>> The FTPmaster will *never* accept sourceless JARs.
>
> we don't accept them into Debian's main component. However they are
> acceptable for the non-free component as long as it is allowed to
> redistribute them in binary form.
>
> Cheers,
> Torsten
>
>
> --
> To UNSUBSCRIBE, email to debian-java-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/4D52A993.6070501@debian.org
>

--
Stefane Fermigier, Founder and Chairman, Nuxeo
Open Source, Java EE based, Enterprise Content Management (ECM)
http://www.nuxeo.com/ - +33 1 40 33 79 87 - http://twitter.com/sfermigier
Join the Nuxeo Group on LinkedIn: http://linkedin.com/groups?gid=43314
New Nuxeo release: http://nuxeo.com/dm54
"There's no such thing as can't. You always have a choice."


--
To UNSUBSCRIBE, email to debian-java-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 24C35104-B17B-42C3-A5AF-E9664E5C7648@nuxeo.com">http://lists.debian.org/24C35104-B17B-42C3-A5AF-E9664E5C7648@nuxeo.com
 
Old 02-09-2011, 02:02 PM
Vincent Fourmond
 
Default How to package Nuxeo DM, a Java EE application, in Debian

On Wed, Feb 9, 2011 at 3:49 PM, Torsten Werner <twerner@debian.org> wrote:
> Am 09.02.2011 15:24, schrieb Vincent Fourmond:
>> * The FTPmaster will *never* accept sourceless JARs.
>
> we don't accept them into Debian's main component. However they are
> acceptable for the non-free component as long as it is allowed to
> redistribute them in binary form.

Which excludes all GPLed/LGPLed software.

If all the binary-only JARs in Nuxeo are licensed under a BSD-like
license, then it may be suitable for non-free.

If not, you're back to the original problem. This is a *legal* problem.

Cheers,

Vincent


--
To UNSUBSCRIBE, email to debian-java-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTimB0_TC+CAPACx0mNsP756E7YeDTWz9=-_5DgSC@mail.gmail.com">http://lists.debian.org/AANLkTimB0_TC+CAPACx0mNsP756E7YeDTWz9=-_5DgSC@mail.gmail.com
 
Old 02-09-2011, 02:04 PM
Torsten Werner
 
Default How to package Nuxeo DM, a Java EE application, in Debian

Am 09.02.2011 15:51, schrieb Stefane Fermigier:
> Can we start this discussion over with this option in mind ?

There is another option that we should discuss:

- distribute all those binary dependencies in a separate package, e.g.
nuxeo-nonfree-libs via alioth.d.o or some other inofficial server

- maintain a clean nuxeo package that (Build-)Depends:
nuxeo-nonfree-libs in our contrib component but prefer any libs that
have already been packaged in main

- reduce the size of nuxeo-nonfree-libs step by step by packaging the
jars in a Debian compliant way

Cheers,
Torsten


--
To UNSUBSCRIBE, email to debian-java-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D52ACE3.5090503@debian.org">http://lists.debian.org/4D52ACE3.5090503@debian.org
 
Old 02-09-2011, 02:11 PM
Vincent Fourmond
 
Default How to package Nuxeo DM, a Java EE application, in Debian

On Wed, Feb 9, 2011 at 4:04 PM, Torsten Werner <twerner@debian.org> wrote:
> Am 09.02.2011 15:51, schrieb Stefane Fermigier:
>> Can we start this discussion over with this option in mind ?
>
> There is another option that we should discuss:
>
> - distribute all those binary dependencies in a separate package, e.g.
> nuxeo-nonfree-libs via alioth.d.o or some other inofficial server
>
> - maintain a clean nuxeo package that (Build-)Depends:
> nuxeo-nonfree-libs in our contrib component but prefer any libs that
> have already been packaged in main
>
> - reduce the size of nuxeo-nonfree-libs step by step by packaging the
> jars in a Debian compliant way

I'd vote for that too. That does not cause potential legal troubles
and allows a smooth (but probably very long) transition between
non-distributable to aceptable into main.

Cheers,

Vincent


--
To UNSUBSCRIBE, email to debian-java-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTi=QW_GfdK7moWL80xk--DeGpTT=W=TM2+t+pxe4@mail.gmail.com">http://lists.debian.org/AANLkTi=QW_GfdK7moWL80xk--DeGpTT=W=TM2+t+pxe4@mail.gmail.com
 

Thread Tools




All times are GMT. The time now is 04:48 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org