Am 08.10.2021 um 14:11 schrieb Kevin Kofler via devel
<devel(a)lists.fedoraproject.org>:
Mario Torre wrote:
> On Fri, Oct 8, 2021 at 2:11 AM Kevin Kofler via devel wrote:
>> And that is actually a problem rather than a solution. Maven artifacts
>> are basically write once only. Everything depends on a hardcoded version
>> which, once uploaded, is normally never touched again. This means that
>> security bugs and other bugs never get fixed (unless the application
>> bumps the dependency version, which can take months or years or even just
>> never happen). That is exactly what the RPM system is designed to avoid.
>
> Well, that's why it should be "curated" and not just a mirror of maven
> central.
No amount of "curating" can fix this inherent design limitation of Maven.
Maven may have a lot of design limitations, but this scenario is none of them. No build
system can completely compensate a careless developer or system administrator.
And what is the alternative? If we don't find a way to make building Java application
rpm easier, there will be no Fedora rpm for many applications at all. And then, what
happens? The sysadmin installs a binary from some source. And then happens exactly what
you fear: The program runs forever and
that opens all sorts of cans of worms (caching, reproducibility,
changed checksums, etc.).
Peter