On Fri, 20 Nov 2020 10:06:28 +0100 Tamás Cservenák <[email protected]> wrote:
> Thanks for the answers! > > AFAIK, we in Apache as well "vote for source", while we provide > binaries as well. > > Given the video mentions that Maven `-sources` artifacts are NOT > buildable (which is true, they are mainly used by IDEs to display > library sources while debug for example), am unsure -- at least for > ASF artifacts -- why not using then source release bundles instead? > For example: > https://dist.apache.org/repos/dist/release/maven/maven-3/3.6.3/source/ Guix is trying to use these original source code repositories. But there is no direct connection between the pom.xml and the original source code. The problem and concern here is that Maven central is a long-term store for the pom.xml, the binary .jar and the IDE-only sources.jar. That works very well for rebuilding from binary dependencies: If my company/project set up an Artifactory cache ten years ago, I'm still able to rebuild my Maven-based software today by using the then-downloaded binary dependencies. But the source code repositories are eliminated quicker. For example, I'm searching the sources for org.marlin:marlin:0.7.5-Unsafe, a dependency of the less than 3 years old GeoServer 2.12.2. The source code is buried with Boundless' death. If I would have at least a hash sum in the pom.xml at Maven central, I might be able to download it from softwareheritage.org. > Also, according to your explanation, the problem is now solved once > for all, right? You do have (those distros you mention, like Guix) > Maven 3.6.3 built now, so you do not have to repeat this anymore? > > My point is that Maven devs also use Maven 3.6.3 currently, and that > version will be used to build any future Maven release as well (ie. > 3.6.4 or 4.0.0 and so on). So, you just had to "hop on" the > bandwagon, do this "dance" once, but from now on, all this work can > be scraped, right? Yes. It is done "once forever". For new versions it might be necessary to add some additional dependencies or update to newer versions. This is not always trivial. From a practical point, it would be nice if you could build Maven 4.0, 4.1, 4.2, etc all from 3.6.3. Contrary the JDK has a linear dependency chain: 1.9->10->11->12->... If you now update for example the make-package, you have to rebuild the full chain. Concerning make: There is also a bootstrapping-chain starting with gnu-make-mesboot0 which is built only with tcc, a small C-compiler, which ... ... and at the end, there is some small binary bootstrap kernel, but this is getting smaller and smaller. Björn
pgphnZNjxaWF8.pgp
Description: OpenPGP digital signature
