AUR package naming for Java packages (was: [PRQ#42786] Deletion Request for autopsy-bin Rejected)
Thank you for bringing this up. Current guidelines for packages using prebuilt binaries, which are added in 2019 [1], are indeed unclear about Java packages. Literally, there is no rule about whether such Java packages should use a package name with "-bin" suffix or not. I propose to require the "-bin" suffix for new Java package using prebuilt binaries while allow existing packages without the "-bin" suffix (i.e., no need to submit deletion/merge requests for them). A modified rule can be: * Packages that use '''prebuilt''' [[wikipedia:Deliverable|deliverables]], when the sources are available, must use the {{ic|-bin}} suffix. An exception to this is with [[Java package guidelines#Java packaging on Arch Linux|Java]], where new Java packages using prebuilt binaries must use the {{ic|-bin}} suffix, while existing such packages without the {{ic|-bin}} suffix are allowed. The AUR should not contain the binary tarball created by makepkg, nor should it contain the filelist. Any opinions? [1] https://wiki.archlinux.org/index.php?diff=572792 Best, Chih-Hsuan Yen (yan12125) ---------- Forwarded message --------- 寄件者: Marcell Meszaros <marcell.meszaros@runbox.eu> Date: 2023年7月30日 週日 下午10:00 Subject: Re: [PRQ#42786] Deletion Request for autopsy-bin Rejected To: Chih-Hsuan Yen <yan12125@archlinux.org>, <aur-requests@lists.archlinux.org> Cc: <contact@lsferreira.net>
autopsy-bin is a better package name for a package built from binaries.
In that case, please kindly revise the AUR submission guidelines, because currently it explicitly mentions Java as an exception to the '-bin' name suffix requirement. [a] " * Packages that use prebuilt deliverables, when the sources are available, must use the -bin suffix. An exception to this is with Java. " [a]: https://wiki.archlinux.org/title/AUR_submission_guidelines#Rules_of_submissi... On 30 July 2023 15:26:43 GMT+02:00, Chih-Hsuan Yen <yan12125@archlinux.org> wrote:
Marcell Meszaros <marcell.meszaros@runbox.eu> 於 2023年7月30日 週日 下午6:20寫道:
@yan12125, why did you reject the deletion request for this duplicate?
AUR/autopsy also uses the precompiled Java bytecode as source.
So the two packages are truly duplicates, the only difference is that autopsy-bin is 1 year older and flagged OOD for that period.
On 30 July 2023 11:05:20 GMT+02:00, notify@aur.archlinux.org wrote:
Request #42786 has been Rejected by yan12125 [1]:
This is a java application so the suffix '-bin' is not necessary anyway.
Java packages can be either built from sources or binaries as well.
autopsy-bin is a better package name for a package built from binaries. Therefore, orphaning and updating autospy-bin is better than deleting autospy-bin. After that, autospy can be merged into autospy-bin in case it is not changed to be built from sources.
Best,
Chih-Hsuan Yen (yan12125)
On 31-07-2023 06:26, Chih-Hsuan Yen wrote:
Thank you for bringing this up. Current guidelines for packages using prebuilt binaries, which are added in 2019 [1], are indeed unclear about Java packages. Literally, there is no rule about whether such Java packages should use a package name with "-bin" suffix or not. I propose to require the "-bin" suffix for new Java package using prebuilt binaries while allow existing packages without the "-bin" suffix (i.e., no need to submit deletion/merge requests for them).
A modified rule can be:
* Packages that use '''prebuilt''' [[wikipedia:Deliverable|deliverables]], when the sources are available, must use the {{ic|-bin}} suffix. An exception to this is with [[Java package guidelines#Java packaging on Arch Linux|Java]], where new Java packages using prebuilt binaries must use the {{ic|-bin}} suffix, while existing such packages without the {{ic|-bin}} suffix are allowed. The AUR should not contain the binary tarball created by makepkg, nor should it contain the filelist.
Any opinions?
[1] https://wiki.archlinux.org/index.php?diff=572792
Best,
Chih-Hsuan Yen (yan12125)
A few comments : - package guidelines in archwiki are valid for the whole archlinux community, not just aur. aur-general is not the right place to discuss them. (no idea if an RFC , wiki talk page , arch-general , arch-dev-public etc are the right place is) . - java has the concept of JAR files , https://en.wikipedia.org/wiki/JAR_(file_format) Technically using jar files is not 'building from source ' but they are not machine executable and not considered binaries . Currently such packages don't get a -bin suffix, are you proposing new packages using jar files will require a -bin suffix ? Lone_Wolf
Hello, Java packages are an exception and do not require the -bin suffix, they can either be built from source or use the jar provided by upstream in the normal package. Although, both is used within the official repositories, thus saying which one is the right one to pick is another question. Personally I believe that Java code should still be compiled from source, and I have made this argument, but the fact is, when you compile Java it will become the same bytecode and will perform the same on the JVM, maybe if you wanted to compile the Java code with say Java 11 instead of latest it could be beneficial, but the general view is that compiling Java is too much effort and its simply easier to copy the jar into the java directory. Although I disagree with this, it seems to be the going trend. I have discussed this on IRC in the past with Alad (who made the change to the packaging guidelines on the ArchWiki), but the general idea I got from it is what I explained above, Java bytecode is not seen to be worth compiling from source. As highlighted in the rejection thread, the answer has already been said there: https://lists.archlinux.org/archives/list/aur-requests@lists.archlinux.org/m... And then in the latest email to the list, requested the rejection to be revised: https://lists.archlinux.org/archives/list/aur-requests@lists.archlinux.org/m... I believe although this email thread I am replying to was created for the purpose of finding the answer to the deletion request, it serves a different purpose. The deletion request should have been accepted by what Marcell pointed out (Both packages are duplicates, even with the different prefix), but I assume this thread is to discuss change to the packaging guideline exception? If so it might be worth doing the following: - Add this to the talk page of the packaging guidelines, this will notify those who have contributed to the packaging guidelines, who many not be subscribed to the aur-general mailing list: https://wiki.archlinux.org/title/Talk:Arch_package_guidelines - Try to contact Alad and discuss with him the reason for the change, as it seems you disagree with the rule. I am not sure if the change Alad made was personal bias or whether it was discussed with others and the consensus was to add the exception. Although, Alad is likely to find the post on the talk page, so maybe it could just be best to add this to the talk page and ask for Alad's opinion? In general I still agree, I know of someone who downloaded a virus by trusting the jar file in the projects release, turns out it contained bytecode which was not released into the main repository, thus had malicious code in the redistributable. I strongly agree with compiling from source, Java compiles reasonably fast so I do not see why we should not compile from source? Sure you can go inspecting the jar using bytecode decompilers, but surely it is easier simply to build from source. Now I am sure a lot of people will point out "It is not secure unless you read the entire codebase and make sure the source code is completely safe", but the fact remains is, redistributables can have anything within them, narrowing it down to the codebase you clone to build is still a first step to ensuring there is no malicious bytecode. Plus, you can't patch bytecode, if the java code ever needs to be patched in the repository, then the entire PKGBUILD needs to be rewritten to compile from source instead of installing a jar, so isn't it simpler to just have all packages as source packages so if a patch is ever needed its simple to do so? I can see so many reasons for the "pointless" recompiling of Java code. Thus, the "-bin" suffix should include Java as well. However I am not a TU/package maintainer and thus I have no authority, but my personal opinion is that it would be beneficial to remove the exception to the -bin flag in java packages. Hope this helps, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
- package guidelines in archwiki are valid for the whole archlinux community, not just aur. aur-general is not the right place to discuss them.
(no idea if an RFC , wiki talk page , arch-general , arch-dev-public etc are the right place is) .
Thank you for the suggestion. Currently this topic is about `-bin` in AUR package names. As official packages do not have `-bin` in package names, I believe the topic is primarily for AUR.
- java has the concept of JAR files , https://en.wikipedia.org/wiki/JAR_(file_format)
Technically using jar files is not 'building from source ' but they are not machine executable and not considered binaries .
Java bytecodes are instructions for Java virtual machines (or equivalent). Those are indeed binaries.
Currently such packages don't get a -bin suffix, are you proposing new packages using jar files will require a -bin suffix ?
Yes I propose to require `-bin` suffix for new Java packages using JAR files or some other forms of binaries. The exception for existing packages is to avoid yet another flood of AUR requests. The exception may be removed after only few such packages are left.
Hello,
Java packages are an exception and do not require the -bin suffix, they can either be built from source or use the jar provided by upstream in the normal package.
Although, both is used within the official repositories, thus saying which one is the right one to pick is another question.
Personally I believe that Java code should still be compiled from source, and I have made this argument, but the fact is, when you compile Java it will become the same bytecode and will perform the same on the JVM, maybe if you wanted to compile the Java code with say Java 11 instead of latest it could be beneficial, but the general view is that compiling Java is too much effort and its simply easier to copy the jar into the java directory. Although I disagree with this, it seems to be the going trend.
Thank you for thoughts about sources vs. binaries. I'd like to focus on only package naming in this thread - compiling is another topic involving more than AUR and is better for a different channel. From the perspective of AUR packages, either compiling from sources or using prebuilt binaries is fine, as long as the difference is indicated in package names. There are already plenty of `-bin` packages on AUR, and I hope Java packages can follow the same rule as other packages eventually.
I have discussed this on IRC in the past with Alad (who made the change to the packaging guidelines on the ArchWiki), but the general idea I got from it is what I explained above, Java bytecode is not seen to be worth compiling from source.
As a side note, the relevant change is authored by polyzen in https://wiki.archlinux.org/index.php?diff=572792. The change by Alad (https://wiki.archlinux.org/index.php?diff=582291) is for cherry-picking.
As highlighted in the rejection thread, the answer has already been said there:
https://lists.archlinux.org/archives/list/aur-requests@lists.archlinux.org/m...
And then in the latest email to the list, requested the rejection to be revised:
https://lists.archlinux.org/archives/list/aur-requests@lists.archlinux.org/m...
I believe although this email thread I am replying to was created for the purpose of finding the answer to the deletion request, it serves a different purpose.
The deletion request should have been accepted by what Marcell pointed out (Both packages are duplicates, even with the different prefix), but I assume this thread is to discuss change to the packaging guideline exception?
My proposal is not really changing the exception, but to clarify it. Currently, the exception only indicates that Java packages are allowed to ignore the `-bin` rule, but it's unclear what rules Java packages should follow. I'm trying to fill up the gap.
If so it might be worth doing the following:
- Add this to the talk page of the packaging guidelines, this will notify those who have contributed to the packaging guidelines, who many not be subscribed to the aur-general mailing list: https://wiki.archlinux.org/title/Talk:Arch_package_guidelines
Good point. I will add a topic at the wiki talk page soon.
- Try to contact Alad and discuss with him the reason for the change, as it seems you disagree with the rule. I am not sure if the change Alad made was personal bias or whether it was discussed with others and the consensus was to add the exception.
Although, Alad is likely to find the post on the talk page, so maybe it could just be best to add this to the talk page and ask for Alad's opinion?
Thanks for the suggestion. I asked Polyzen on IRC, and he doesn't recall discussions about whether packages using JARs should have -bin suffix or not.
In general I still agree, I know of someone who downloaded a virus by trusting the jar file in the projects release, turns out it contained bytecode which was not released into the main repository, thus had malicious code in the redistributable.
I strongly agree with compiling from source, Java compiles reasonably fast so I do not see why we should not compile from source? Sure you can go inspecting the jar using bytecode decompilers, but surely it is easier simply to build from source.
Now I am sure a lot of people will point out "It is not secure unless you read the entire codebase and make sure the source code is completely safe", but the fact remains is, redistributables can have anything within them, narrowing it down to the codebase you clone to build is still a first step to ensuring there is no malicious bytecode.
Plus, you can't patch bytecode, if the java code ever needs to be patched in the repository, then the entire PKGBUILD needs to be rewritten to compile from source instead of installing a jar, so isn't it simpler to just have all packages as source packages so if a patch is ever needed its simple to do so?
I can see so many reasons for the "pointless" recompiling of Java code. Thus, the "-bin" suffix should include Java as well. However I am not a TU/package maintainer and thus I have no authority, but my personal opinion is that it would be beneficial to remove the exception to the -bin flag in java packages.
Thank you very much for great points about sources and binaries. Let's focus only on package naming first.
Hope this helps, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
Regards, Chih-Hsuan Yen (yan12125)
participants (3)
-
Chih-Hsuan Yen
-
Lone_Wolf
-
Polarian