[jitsi-dev] Fwd: Comment posted on jitsi


#1

FYI

A comment in regards to our debian package submission to the official
repository.

···

---------- Forwarded message ----------
From: "mentors.debian.net" <support@mentors.debian.net>
Date: Jun 26, 2013 8:45 PM
Subject: Comment posted on jitsi
To: <damencho@jitsi.org>,...
Cc:

A comment has been posted on a package that you are subscribed to.

Kurt Roeckx made the following comment about the jitsi package:

I currently don't see a reason not to upload this. Is there someone else
that wants to sponsor this instead?

You can view information on the package by visiting:

http://mentors.debian.net/package/jitsi

You can change your subscription by visiting your user account settings.

Thanks,

--
mentors.debian.net


#2

Hi!

I think Kurt overlooked that Jitsi ships with many pre-compiled .jar
files (that would end up installed 1:1 or as part of re-packed new .jar
files). That's a big issue for inclusion with a GNU/Linux distribution.
While I'm looking through Gentoo-glasses, Kurt's Debian-glasses
probably say something similar. I have contacted Kurt about it earlier
today to hear if I am missing something.

Best,

Sebastian


#3

Hi!

I think Kurt overlooked that Jitsi ships with many pre-compiled .jar

Are you referring to the deb on the site? That's indeed a pre-compile
deb and not the one we submitted to Debian and that only contains
source files and not a single binary.

files (that would end up installed 1:1 or as part of re-packed new .jar
files). That's a big issue for inclusion with a GNU/Linux distribution.
While I'm looking through Gentoo-glasses, Kurt's Debian-glasses
probably say something similar.

No they don't. We started working on the source-only package about
exactly one year ago. It was a very substantial effort (often very
frustrating), that included chasing down all the source code for all
the dependencies we have. Today we are quite happy and relieved to see
it nearing completion.

I have contacted Kurt about it earlier
today to hear if I am missing something.

OK, feel free to also ask here first next time ;).

Anyways, hope the question is cleared now.

Emil

···

On Thu, Jun 27, 2013 at 1:56 AM, Sebastian Pipping <sebastian@pipping.org> wrote:

Best,

Sebastian

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
https://jitsi.org FAX: +33.1.77.62.47.31


#4

Hi!

Hi!

I think Kurt overlooked that Jitsi ships with many pre-compiled .jar

Are you referring to the deb on the site?

I was referring to
<https://github.com/jitsi/jitsi/archive/Jitsi-2.2.tar.gz>; the source
zip files under "Downloads" have it too.

That's indeed a pre-compile
deb and not the one we submitted to Debian and that only contains
source files and not a single binary.

Okay, sorry, didn't inspect that one closer before.

files (that would end up installed 1:1 or as part of re-packed new .jar
files). That's a big issue for inclusion with a GNU/Linux distribution.
While I'm looking through Gentoo-glasses, Kurt's Debian-glasses
probably say something similar.

No they don't. We started working on the source-only package about
exactly one year ago. It was a very substantial effort (often very
frustrating), that included chasing down all the source code for all
the dependencies we have. Today we are quite happy and relieved to see
it nearing completion.

Actually, that sounds fantastic!

How are jitsi_2.3.4687.9786.orig.tar.gz and friends being generated?
Is there a list with the versions of all those dependencies?

Best,

Sebastian

···

On 27.06.2013 02:36, Emil Ivov wrote:

On Thu, Jun 27, 2013 at 1:56 AM, Sebastian Pipping > <sebastian@pipping.org> wrote:


#5

Hey Sebastien,

Hi!

Hi!

I think Kurt overlooked that Jitsi ships with many pre-compiled .jar

Are you referring to the deb on the site?

I was referring to
<https://github.com/jitsi/jitsi/archive/Jitsi-2.2.tar.gz>; the source
zip files under "Downloads" have it too.

That's indeed a pre-compile
deb and not the one we submitted to Debian and that only contains
source files and not a single binary.

Okay, sorry, didn't inspect that one closer before.

No problem. Hope you've also explained this to the DD whom you had alerted of the supposed irregularity. :slight_smile:

files (that would end up installed 1:1 or as part of re-packed new .jar
files). That's a big issue for inclusion with a GNU/Linux distribution.
  While I'm looking through Gentoo-glasses, Kurt's Debian-glasses
probably say something similar.

No they don't. We started working on the source-only package about
exactly one year ago. It was a very substantial effort (often very
frustrating), that included chasing down all the source code for all
the dependencies we have. Today we are quite happy and relieved to see
it nearing completion.

Actually, that sounds fantastic!

Now that it's ready it does indeed. The process of getting there was anything but.

How are jitsi_2.3.4687.9786.orig.tar.gz and friends being generated?

Yes, deb-src. It's in resources/install/build.xml

Is there a list with the versions of all those dependencies?

All the source code we use is on https://github.com/jitsi/libsrc

Cheers,
Emil

···

On 29.06.13, 19:49, Sebastian Pipping wrote:

On 27.06.2013 02:36, Emil Ivov wrote:

On Thu, Jun 27, 2013 at 1:56 AM, Sebastian Pipping >> <sebastian@pipping.org> wrote:

Best,

Sebastian

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

--
https://jitsi.org


#6

Here's what it generates:

https://download.jitsi.org/jitsi/nightly/debian-src/

Cheers,
Emil

···

On 29.06.13, 20:07, Emil Ivov wrote:

How are jitsi_2.3.4687.9786.orig.tar.gz and friends being generated?

Yes, deb-src. It's in resources/install/build.xml

--
https://jitsi.org


#7

Not yet. There might be a problem, still: the merging of .jar files.

Let's look at ant target "deb-bundle-sysactivitynotifications" for
instance. My understanding is that it creates
sysactivitynotifications.jar from a bunch of system .jar files
(dbus.jar, unix.jar, hexdump.jar) and selected jitsi .class files. So
the installed file contains a copy of the content of
/usr/share/java/dbus.jar of package libdbus-java at the version of the
jitsi package _build time_. When the libdbus-java package is updated in
Debian, the jitsi Debian package still contains the old code and users
will keep running the old code unnoticed. Especially with security
updates, that's critical. Resolving (some) of the re-packing should fix
the problem. I am wondering: why are .jar files merged in the first
place? Am I missing something?

Best,

Sebastian

···

On 29.06.2013 20:07, Emil Ivov wrote:

That's indeed a pre-compile
deb and not the one we submitted to Debian and that only contains
source files and not a single binary.

Okay, sorry, didn't inspect that one closer before.

No problem. Hope you've also explained this to the DD whom you had
alerted of the supposed irregularity. :slight_smile:


#8

That's indeed a pre-compile
deb and not the one we submitted to Debian and that only contains
source files and not a single binary.

Okay, sorry, didn't inspect that one closer before.

No problem. Hope you've also explained this to the DD whom you had
alerted of the supposed irregularity. :slight_smile:

Not yet. There might be a problem, still: the merging of .jar files.

Let's look at ant target "deb-bundle-sysactivitynotifications" for
instance. My understanding is that it creates
sysactivitynotifications.jar from a bunch of system .jar files
(dbus.jar, unix.jar, hexdump.jar) and selected jitsi .class files. So
the installed file contains a copy of the content of
/usr/share/java/dbus.jar of package libdbus-java at the version of the
jitsi package _build time_. When the libdbus-java package is updated in
Debian, the jitsi Debian package still contains the old code and users
will keep running the old code unnoticed. Especially with security
updates, that's critical. Resolving (some) of the re-packing should fix
the problem. I am wondering: why are .jar files merged in the first
place? Am I missing something?

Someone actually building on Debian would have to confirm this, but it is my
understanding that the jars you mention are not actually copied into the
destination bundle, but rather the symlink to them.

Best,
Sebastian

Ingo


#9

That's indeed a pre-compile
deb and not the one we submitted to Debian and that only contains
source files and not a single binary.

Okay, sorry, didn't inspect that one closer before.

No problem. Hope you've also explained this to the DD whom you had
alerted of the supposed irregularity. :slight_smile:

Not yet. There might be a problem, still: the merging of .jar files.

You realise this kind of sounds like blackmailing, right? "I'll keep blocking until I have been satisfied I have received enough answers" ;).

Personally I find this somewhat unpleasant ... but that might be just me.

Let's look at ant target "deb-bundle-sysactivitynotifications" for
instance. My understanding is that it creates
sysactivitynotifications.jar from a bunch of system .jar files
(dbus.jar, unix.jar, hexdump.jar) and selected jitsi .class files. So
the installed file contains a copy of the content of
/usr/share/java/dbus.jar of package libdbus-java at the version of the
jitsi package _build time_. When the libdbus-java package is updated in
Debian, the jitsi Debian package still contains the old code and users
will keep running the old code unnoticed. Especially with security
updates, that's critical.

Ingo already answered this. The jar-s are not repackaged. We only ship symlinks to these jars.

Resolving (some) of the re-packing should fix
the problem. I am wondering: why are .jar files merged in the first
place?

As explained, they are not merged. All these acrobatics happen because we use OSGi and we need all jars that Jitsi uses directly to appear as OSGi bundles.

Am I missing something?

It seems that you are (but go on blocking nonetheless :wink: ).

Emil

Cheers,
Emil

···

On 29.06.13, 21:12, Sebastian Pipping wrote:

On 29.06.2013 20:07, Emil Ivov wrote:

Best,

Sebastian

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

--
https://jitsi.org


#10

Not yet. There might be a problem, still: the merging of .jar files.

You realise this kind of sounds like blackmailing, right? "I'll keep
blocking until I have been satisfied I have received enough answers" ;).

Personally I find this somewhat unpleasant ... but that might be just me.

Okay, let me explain myself:

A few days ago, I played with making an (for now: unofficial) package of
Jitsi 2.2 for Gentoo Linux, see [1].

From that, my impression was that Jitsi depends on a pile of

pre-compiled .jar files (which for 2.2 seems true). Many if not most of
the Java applications go that road, even smaller ones. I was assuming
that I would have to help cutting those out one by one myself if I
wanted to see Jitsi in Gentoo one day.

When the "Comment posted on jitsi" mail flew by, I was afraid that all
these pre-compiled .jars would end up in the final Debian package so I
contacted Kurt to make sure he was aware of the problem I assumed. I
didn't look close enough.

I didn't reply to his reply earlier because I was still searching for
answers in the build system. I am in no power to block anyone's actions
on the mentored Debian packaging process, if that wasn't clear.

Actually, I might be able to help you get Jitsi into Gentoo.
If my part here looked like that of an enemy to you until now, I hope
that we can start fresh.

[1]
http://git.overlays.gentoo.org/gitweb/?p=proj/betagarden.git;a=tree;f=net-im/jitsi

Resolving (some) of the re-packing should fix
the problem. I am wondering: why are .jar files merged in the first
place?

As explained, they are not merged. All these acrobatics happen because
we use OSGi and we need all jars that Jitsi uses directly to appear as
OSGi bundles.

To best learn the differences from traditional .jars to OSGi bundles,
where would you send me? Anything to read that you can recommend in
particular?

Best,

Sebastian

···

On 29.06.2013 21:47, Emil Ivov wrote: