A need for build triggers & automatic rebuilds
fweimer at redhat.com
Fri Jun 21 12:00:36 UTC 2013
On 06/21/2013 08:28 AM, Krzysztof Daniel wrote:
> OSGI records that there is a file
> org.eclipse.jetty.http_9.0.3.v20130506.jar that holds a plugin with
> version 9.0.3.v20130506. That version goes at the build time in a couple
> of places (including metabundle).
Such exact dependencies are fundamentally broken and do not scale. We
cannot rebuild the whole world just for minor (say, security) updates.
Lying about the version number (so that the new version looks like the
old one to OSGi) doesn't strike me as a good idea, either, because it
will confuse developers and other tools.
I tried to bring this up on the Project Jigsaw mailing list a couple of
years ago, but I'm not sure if I brought across this point. From my
point of view, these Java module frameworks refuse to acknowledge that
there is extensive experience with distro-level release engineering.
(Basically, exact dependencies and multiple versions of the same code
might be convenient now, but will seriously hurt you down the road.)
> Exact match can't be used at all, because if jetty is updated, then it
> will be impossible to install Eclipse.
Well, if it doesn't work with the old version, that's the right thing to do.
I believe Debian relaxes the OSGi-generated dependencies on system
libraries. Fedora should do the same thing in its Eclipse packaging.
Florian Weimer / Red Hat Product Security Team
More information about the devel