Hi folks,
@Matthew Miller <mattdm(a)redhat.com> Are you still trying to save Fedora
from packaging the ocean? :)
On Mon, Oct 4, 2021 at 9:10 PM Fabio Valentini <decathorpe(a)gmail.com> wrote:
On Mon, Oct 4, 2021 at 8:49 PM Matthew Miller
<mattdm(a)fedoraproject.org>
wrote:
>
> On Mon, Sep 27, 2021 at 03:09:08PM +0200, Mario Torre wrote:
> > I'm not sure what's the best solution, but I guess the number one
> > reason to have packages within the Fedora distribution is for a matter
> > of trust, if this is the case I would argue that a curated list of
> > maven packages served via a Fedora managed repository would be a
> > better investment.
>
> I'd love to see someone interested in this pursue this idea! I know we
> talked about it as long ago as... Flock Prague... and probably before.
This approach will buy you *literally nothing* compared to how things
already work, assuming you don't advocate just redistributing binary
artifacts / JARs from Maven Central.
Given that assumption, JARs would still need to be built 1) from
source, in a 2) trusted environment, 3) against trusted dependencies,
as I don't think any other approach should be acceptable for content
distributed by the Fedora Project.
But then you're back to *exactly how Fedora packages for Java
projects
already work* - only with the added complication that distributing
those build artifacts as plain JARs instead of RPMs now makes them
impossible to consume as dependencies from other RPM builds.
I think it would actually make a huge difference.
Unlike RPM repositories, Maven repositories can easily hold multiple
versions of libraries. Once a JAR is built, the resulting bytecode will
work with current and future JVMs. There is no need to mass-rebuild JARs
every 6 months. And there is certainly no need to try to run every single
Java application with a single "system-wide" version of a library.
Fedora could ship just Java applications that would bundle JARs (whatever
version they need) from the Fedora Maven repository. I don't see this as a
problem, as long as it would be possible to track what JARs are bundled in
what application.
Fedora maintainers could then focus on maintaining applications, and not
maintaining a ton of individual libraries that nobody really cares about
that much.
Thanks,
Michal
Fabio
_______________________________________________
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure