On Fri, Oct 8, 2021 at 2:11 AM Kevin Kofler via devel
<devel(a)lists.fedoraproject.org> wrote:
Michal Srb wrote:
> Unlike RPM repositories, Maven repositories can easily hold multiple
> versions of libraries. Once a JAR is built, the resulting bytecode will
> work with current and future JVMs. There is no need to mass-rebuild JARs
> every 6 months. And there is certainly no need to try to run every single
> Java application with a single "system-wide" version of a library.
And that is actually a problem rather than a solution. Maven artifacts are
basically write once only. Everything depends on a hardcoded version which,
once uploaded, is normally never touched again. This means that security
bugs and other bugs never get fixed (unless the application bumps the
dependency version, which can take months or years or even just never
happen). That is exactly what the RPM system is designed to avoid.
Well, that's why it should be "curated" and not just a mirror of maven
central.
Cheers,
Mario
--
Mario Torre
Manager, Software Engineering, core OpenJDK
Red Hat GmbH <
https://www.redhat.com>
9704 A60C B4BE A8B8 0F30 9205 5D7E 4952 3F65 7898