Hi folks,
@Matthew Miller Are you still trying to save Fedora from packaging the ocean? :)
On Mon, Oct 4, 2021 at 9:10 PM Fabio Valentini <decathorpe@gmail.com> wrote:
On Mon, Oct 4, 2021 at 8:49 PM Matthew Miller <mattdm@fedoraproject.org> wrote:
>
> On Mon, Sep 27, 2021 at 03:09:08PM +0200, Mario Torre wrote:
> > I'm not sure what's the best solution, but I guess the number one
> > reason to have packages within the Fedora distribution is for a matter
> > of trust, if this is the case I would argue that a curated list of
> > maven packages served via a Fedora managed repository would be a
> > better investment.
>
> I'd love to see someone interested in this pursue this idea! I know we
> talked about it as long ago as... Flock Prague... and probably before.
This approach will buy you *literally nothing* compared to how things
already work, assuming you don't advocate just redistributing binary
artifacts / JARs from Maven Central.
Given that assumption, JARs would still need to be built 1) from
source, in a 2) trusted environment, 3) against trusted dependencies,
as I don't think any other approach should be acceptable for content
distributed by the Fedora Project.
But then you're back to *exactly how Fedora packages for Java projects
already work* - only with the added complication that distributing
those build artifacts as plain JARs instead of RPMs now makes them
impossible to consume as dependencies from other RPM builds.
I think it would actually make a huge difference.Unlike RPM repositories, Maven repositories can easily hold multiple versions of libraries.
RPM repositories can hold multiple version of libraries as well. This is self inflicted limitation of Fedora, because once you have multiple versions of libraries, you should also fix (security) bugs in those versions. And this is where it starts to be complicated.
Vít
Once a JAR is built, the resulting bytecode will work with current and future JVMs. There is no need to mass-rebuild JARs every 6 months. And there is certainly no need to try to run every single Java application with a single "system-wide" version of a library.
Fedora could ship just Java applications that would bundle JARs (whatever version they need) from the Fedora Maven repository. I don't see this as a problem, as long as it would be possible to track what JARs are bundled in what application.
Fedora maintainers could then focus on maintaining applications, and not maintaining a ton of individual libraries that nobody really cares about that much.
Thanks,Michal
Fabio
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure