On Thu, Sep 10, 2020 at 01:50:55PM +0100, Joe Orton wrote:
4. The benefit we want to preserve from modules is to maintain
packages
with varying expectation of quality, specifically separating the
build-time-only vs runtime dependencies. e.g. in that case that a web
server like Eclipse Jetty is required as a dep for testing another
component during the build, we want to be able to use and build that
component, without being indefinitely on the hook for security errata.
(The build dependency tree is particularly complex for Maven and
involves many examples of packages with frequent and high severity
vulnerabilies)
What are you doing different in terms of supporting deps in the module
that reduces the security errata burden, compared to non-modular builds ?
It feels like if we have some policy that is creating unsustainable
maint burden wrt non-modular packaging, we should re-examine this
policy rather than trying to workaround it by going modular, which
creates a different kind of maint burden.
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|