"Dr. Arne Babenhauserheide" <arne_...@web.de> writes:
> [[PGP Signed Part:Undecided]] > > Tim Cross <theophil...@gmail.com> writes: >> I agree. As pointed out already, just bundling the jar file is not >> sufficient as you need a java runtime as well. > > Java is available in my distribution, ditaa is not. Removing ditaa from > org means that I have to do manual installation and configuration, while > with ditaa bundled, org-mode can simply note that I need java installed. > I get that. However, this is of course not the case for many users (Mac, Windows). Having to install additional software to realise org functionality is normal for much of org-mode. In fact, I had to install ditta when I first used it because it wasn't bundled. That was not an issue and no surprise given I also had to install textlive, plantuml, graphviz, taskjuggler, ledger, sqlite and many other things. I understand the convenience for users argument. However, I think we also need to consider the maintenance overheads and consistency aspects as well (including dealing with bug reports when it doesn't work). >> If we bundle it, we also need to ensure it is updated if/when new jar >> versions are released. > > We can do that, but we don’t have to. As long as the bundled jar works, > it is much better than no jar. And users can use newer version as they > like by changing the jar-path. > > Note that this isn’t about security, since even if an old version of > ditaa should turn out to be vulnerable, this would still be less > dangerous than a shell-block. Therefore old versions of ditaa are > completely fine. > My thoughts were more about bugs and confusing deprecation warnings which can arise when using an older jar file with a more recent jre. Ultimately, it will fall to whoever steps up to maintain ditta support to decide. -- Tim Cross