On Tue, Sep 28, 2021 at 2:26 PM Robert Marcano via devel
<devel(a)lists.fedoraproject.org> wrote:
On 9/27/21 7:54 PM, Kevin Kofler via devel wrote:
> Robert Marcano via devel wrote:
>> I think the only way the Java ecosystem to survive in Fedora outside of
>> OpenJDK and some core components is to allow bundling (Even JavaScript
>> bundling is already allowed), but how do to it without compromising
>> security?
>
> The problem is that Java projects typically bundle prebuilt binaries, which
> is a complete no go. The big issue is not that the libraries are bundled, it
> is that they are bundled in prebuilt binary form, often even without the
> source code at all.
Even in the case of SCM repositories committed binaries, allowing
bundling would help a lot, add some kind of automation that replace
these jar for the proposed local created maven repository, and link to
them, and add the metadata to the RPM to know it need to be rebuilt when
that dependency is updated. This is a lot more easier than fighting old
build scripts that don't use some kind of dependency manager. It will
probably be hard for these kind of packages, but any modern application
using using a modern build system could become easier to package.
This is actually 100% how packaging applications that use ant +
bundled dependencies (i.e. often .jar files in a "/lib/" directory)
has worked for ages already.
So the Java packaging tools we have in Fedora support this use case just fine.
Fabio