On Sat, Mar 04, 2017 at 01:30:47AM +0100, Michael Biebl wrote: > Source: libapache-poi-java > Version: 3.10.1-3 > Severity: important > > libapache-poi-java is an indirect dependency of libreoffice, so pulled > in on every desktop installation. > > Having a build tool like ant being pulled because of a library > dependency is unwanted in such a case. Please consider dropping the > dependency on ant.
Hi Michael, Thank you for noticing this. I agree that it look odd. However, the apache-poi sources use classes from ant.jar - for example, refer to the classes in this package [1] - and currently that jar is shipped along with the ant package. I question whether it would worth it, but if this were causing a serious issue, we could discuss splitting ant into something like "ant-bin" (maybe there's a better name) and libant-java, so only the latter library package is a dependency of libapache-poi-java. In that case, I think we would still want to have an "ant" package that depended on both the library and the "ant-bin" cli build tools that are found in /usr/bin and /usr/share/ant/bin. Perhaps another reason to consider a split is because ant depends on a JRE (although I think you're going to need one anyway in order to do anything useful with apache-poi). But in terms of overhead, I don't think there's anything to be concerned about, because the ant wrapper scripts are tiny when compared to the jar file itself: $ du -sh /usr/share/ant/bin 40K /usr/share/ant/bin $ du -shL /usr/share/java/ant.jar 2.0M /usr/share/java/ant.jar So this seems more like a question of style. Do you still think the severity is important? Cheers, tony [1] https://anonscm.debian.org/cgit/pkg-java/libapache-poi-java.git/tree/src/excelant/java/org/apache/poi/ss/excelant
signature.asc
Description: PGP signature
