A need for build triggers & automatic rebuilds

Florian Weimer fweimer at redhat.com
Fri Jun 21 12:00:36 UTC 2013

On 06/21/2013 08:28 AM, Krzysztof Daniel wrote:

> OSGI records that there is a file
> org.eclipse.jetty.http_9.0.3.v20130506.jar that holds a plugin with
> version 9.0.3.v20130506. That version goes at the build time in a couple
> of places (including metabundle).

Such exact dependencies are fundamentally broken and do not scale.  We 
cannot rebuild the whole world just for minor (say, security) updates. 
Lying about the version number (so that the new version looks like the 
old one to OSGi) doesn't strike me as a good idea, either, because it 
will confuse developers and other tools.

I tried to bring this up on the Project Jigsaw mailing list a couple of 
years ago, but I'm not sure if I brought across this point.  From my 
point of view, these Java module frameworks refuse to acknowledge that 
there is extensive experience with distro-level release engineering. 
(Basically, exact dependencies and multiple versions of the same code 
might be convenient now, but will seriously hurt you down the road.)

> Exact match can't be used at all, because if jetty is updated, then it
> will be impossible to install Eclipse.

Well, if it doesn't work with the old version, that's the right thing to do.

I believe Debian relaxes the OSGi-generated dependencies on system 
libraries.  Fedora should do the same thing in its Eclipse packaging.

Florian Weimer / Red Hat Product Security Team

More information about the devel mailing list