On 06/21/2013 08:28 AM, Krzysztof Daniel wrote:
OSGI records that there is a file
org.eclipse.jetty.http_9.0.3.v20130506.jar that holds a plugin with
version 9.0.3.v20130506. That version goes at the build time in a couple
of places (including metabundle).
Such exact dependencies are fundamentally broken and do not scale. We
cannot rebuild the whole world just for minor (say, security) updates.
Lying about the version number (so that the new version looks like the
old one to OSGi) doesn't strike me as a good idea, either, because it
will confuse developers and other tools.
I tried to bring this up on the Project Jigsaw mailing list a couple of
years ago, but I'm not sure if I brought across this point. From my
point of view, these Java module frameworks refuse to acknowledge that
there is extensive experience with distro-level release engineering.
(Basically, exact dependencies and multiple versions of the same code
might be convenient now, but will seriously hurt you down the road.)
Exact match can't be used at all, because if jetty is updated, then it
will be impossible to install Eclipse.
Well, if it doesn't work with the old version, that's the right thing to do.
I believe Debian relaxes the OSGi-generated dependencies on system
libraries. Fedora should do the same thing in its Eclipse packaging.
--
Florian Weimer / Red Hat Product Security Team
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
