Am 08.10.2021 um 02:06 schrieb Kevin Kofler via devel
<devel(a)lists.fedoraproject.org>:
Michal Srb wrote:
> Unlike RPM repositories, Maven repositories can easily hold multiple
> versions of libraries. ...
And that is actually a problem rather than a solution. Maven artifacts are
basically write once only. Everything depends on a hardcoded version which,
once uploaded, is normally never touched again. This means that security
bugs and other bugs never get fixed ...
A valid point, but only in case the app that consumes the maven artefact in unmaintained.
The goal of the "curated list“ is to make building an "app-rpm" less
burdensome and provide for more apps as rpm this way. And the updated „app-rpm“ would use
an updated version of that jar. And that app would be part of the usual rpm update
procedure.
> Fedora could ship just Java applications that would bundle JARs
(whatever
> version they need) from the Fedora Maven repository. I don't see this as a
> problem, as long as it would be possible to track what JARs are bundled in
> what application.
So you propose to bundle a whole bunch of JARs, some of which have been
built many Fedora releases ago and might not even be buildable in any
currently supported Fedora anymore?
No! See above.
I think this would be not only a huge
waste of space
given the current size of hard drive space, this really isn't a problem. You won't
be able to install a meaningful collection of apps whose cumulative footprint of jars
installed in parallel leaves any noticeable trace on a x tb disk. But you gain a lot in
security if as many of these apps as possible are managed as rpm.