I mentioned this on IRC, but also wanted to send a message out to the bug list for posterity...
I've hit a bit of a snag with the libpomegranate-clojure packaging (#852246). While I did get the package to build, it doesn't actually work. I realized it relies on maven 3.0.4, which is only packaged in old-stable. Jessie packages version 3.0.5, and testing/unstable has 3.3.9. There are many breaking changes between Maven 3.0.4 and 3.3.9. Maven 3.0.4 poses two problems: first, it is affected by a medium-severity CVE[1] and should be patched to 3.0.5. Second, it relies on an old version of Aether under org.sonotype. Aether moved from being maintained by Sonotype to being maintained by Eclipse in 2012, and then Eclipse archived the Aether project in 2016. The Aether changes are why pomegranate does not work against Maven 3.3.9; many classes have been renamed, refactored, and moved. The most recent Maven release, 3.5.0, covers the migration of the Aether code directly into the Maven project.[2] It was released very recently, at the beginning of April. I see there's been some community effort to migrate pomegranate to Maven 3.3.9, but it has not yet succeeded.[3] I took a look at doing that last night, and it turns out to be quite complex. Hence, I see the following possible paths forward: - Upgrade upstream (whether that involves changes in pomegranate or directly in leiningen) to use Maven 3.5.0, and wait for Maven 3.5.0 to be packaged for unstable. - Upgrade upstream to use Maven 3.3.9. I don't think that including a Maven 3.0.5 package just for leiningen is possible, and that would also just constitute a stopgap in my opinion. Upgrading to Maven 3.5.0 is, in my opinion, the best option, as 3.3.9 depends on orphaned versions of Aether. Thoughts? - e [1]: https://maven.apache.org/security.html [2]: https://maven.apache.org/docs/3.5.0/release-notes.html [3]: https://github.com/cemerick/pomegranate/pull/80