Hi folks,
@Matthew Miller Are you still trying to save Fedora from packaging the ocean? :)
On Mon, Oct 4, 2021 at 8:49 PM Matthew Miller <mattdm@fedoraproject.org> wrote:
>
> On Mon, Sep 27, 2021 at 03:09:08PM +0200, Mario Torre wrote:
> > I'm not sure what's the best solution, but I guess the number one
> > reason to have packages within the Fedora distribution is for a matter
> > of trust, if this is the case I would argue that a curated list of
> > maven packages served via a Fedora managed repository would be a
> > better investment.
>
> I'd love to see someone interested in this pursue this idea! I know we
> talked about it as long ago as... Flock Prague... and probably before.
This approach will buy you *literally nothing* compared to how things
already work, assuming you don't advocate just redistributing binary
artifacts / JARs from Maven Central.
Given that assumption, JARs would still need to be built 1) from
source, in a 2) trusted environment, 3) against trusted dependencies,
as I don't think any other approach should be acceptable for content
distributed by the Fedora Project.
But then you're back to *exactly how Fedora packages for Java projects
already work* - only with the added complication that distributing
those build artifacts as plain JARs instead of RPMs now makes them
impossible to consume as dependencies from other RPM builds.
I think it would actually make a huge difference.
Unlike RPM repositories, Maven repositories can easily hold multiple versions of libraries. Once a JAR is built, the resulting bytecode will work with current and future JVMs. There is no need to mass-rebuild JARs every 6 months. And there is certainly no need to try to run every single Java application with a single "system-wide" version of a library.
Fedora could ship just Java applications that would bundle JARs (whatever version they need) from the Fedora Maven repository. I don't see this as a problem, as long as it would be possible to track what JARs are bundled in what application.
Fedora maintainers could then focus on maintaining applications, and not maintaining a ton of individual libraries that nobody really cares about that much.
Thanks,
Michal