ITP: leiningen -- simple build system for Clojure
debian at hashman.ca
Mon May 8 18:30:57 UTC 2017
I mentioned this on IRC, but also wanted to send a message out to the bug list
I've hit a bit of a snag with the libpomegranate-clojure packaging (#852246).
While I did get the package to build, it doesn't actually work. I realized it
relies on maven 3.0.4, which is only packaged in old-stable. Jessie packages
version 3.0.5, and testing/unstable has 3.3.9. There are many breaking changes
between Maven 3.0.4 and 3.3.9.
Maven 3.0.4 poses two problems: first, it is affected by a medium-severity
CVE and should be patched to 3.0.5. Second, it relies on an old version of
Aether under org.sonotype. Aether moved from being maintained by Sonotype to
being maintained by Eclipse in 2012, and then Eclipse archived the Aether
project in 2016. The Aether changes are why pomegranate does not work against
Maven 3.3.9; many classes have been renamed, refactored, and moved. The most
recent Maven release, 3.5.0, covers the migration of the Aether code directly
into the Maven project. It was released very recently, at the beginning of
I see there's been some community effort to migrate pomegranate to Maven 3.3.9,
but it has not yet succeeded. I took a look at doing that last night, and it
turns out to be quite complex. Hence, I see the following possible paths
- Upgrade upstream (whether that involves changes in pomegranate or directly in
leiningen) to use Maven 3.5.0, and wait for Maven 3.5.0 to be packaged for
- Upgrade upstream to use Maven 3.3.9.
I don't think that including a Maven 3.0.5 package just for leiningen is
possible, and that would also just constitute a stopgap in my opinion.
Upgrading to Maven 3.5.0 is, in my opinion, the best option, as 3.3.9 depends
on orphaned versions of Aether.
More information about the Pkg-clojure-maintainers