Mario Torre wrote:
On Fri, Oct 8, 2021 at 2:11 AM Kevin Kofler via devel wrote:
> And that is actually a problem rather than a solution. Maven artifacts
> are basically write once only. Everything depends on a hardcoded version
> which, once uploaded, is normally never touched again. This means that
> security bugs and other bugs never get fixed (unless the application
> bumps the dependency version, which can take months or years or even just
> never happen). That is exactly what the RPM system is designed to avoid.
Well, that's why it should be "curated" and not just a mirror of maven
central.
No amount of "curating" can fix this inherent design limitation of Maven.
You cannot just replace foo-1.2.3 with a different version with security
fixes, that opens all sorts of cans of worms (caching, reproducibility,
changed checksums, etc.). So you need to upload something like foo-1.2.3.1
and then bump the dependency in every single application. How is that any
easier than just building against the latest foo to begin with?
Kevin Kofler