Sorry, I think you negligently underestimate the importance of Java packages. Even for a 'simple' Tomcat you need system management infrastructure, log file management, consistency with other programs and libraries, update management and much more. Neither a download of an Apache Binary nor maven can help. Maven is great if you need libraries for development, and perhaps for updating individual libraries in a running system. We urgently need a solution for the listed problems. So in short Manpower.

On Wed, 9 Sep 2020 at 09:37, Björn Persson <Bjorn(a)xn--rombobjrn-67a.se&gt; wrote: It doesn't scale.. but neither does having all those packages owned and looked at by 1 person. Either people need to start helping or this is the future. People have instead spent the last decade usually saying 'I need this but have no idea how to maintain it so you can't get rid of it.' That has led to the point where the people who were trying to do this made it into modules to make their lives easier and when that made other people's lives harder.. deciding that it was an unwinnable game so why participate any longer. The cost of free packages is eternal vigilance on their maintenance. -- Stephen J Smoogen.

I think there's a difference between libraries and applications though. I for one think that not having Eclipse packaged in Fedora/RHEL etc.. would be a big loss, the same goes for Mission Control which we maintain On Wed, Sep 9, 2020 at 5:00 PM Aleksandar Kurtakov <akurtako(a)redhat.com&gt; wrote: wrote: directly from upstream. users are smart enough to manage the Java packages. php, python: packaging only the base language and anything that is not available in executable formats. looked at by 1 person. Either people need to start helping or this is the future. People have instead spent the last decade usually saying 'I need this but have no idea how to maintain it so you can't get rid of it.' That has led to the point where the people who were trying to do this made it into modules to make their lives easier and when that made other people's lives harder.. deciding that it was an unwinnable game so why participate any longer. "meh, who cares" group - because I see more and more things coming our way for maintenance so the choice in front of us is "work on upstream Eclipse" or "keep Eclipse RPM packages". One can easily guess what wins. org/en-US/project/code-of-conduct/ org/archives/list/devel(a)lists.fedoraproject.org org/en-US/project/code-of-conduct/ fedoraproject.org org/en-US/project/code-of-conduct/ fedoraproject.org -- Mario Torre Associate Manager, Software Engineering Red Hat GmbH <https://www.redhat.com> 9704 A60C B4BE A8B8 0F30 9205 5D7E 4952 3F65 7898 -- Mario Torre Associate Manager, Software Engineering Red Hat GmbH &lt;https://www.redhat.com&gt;<br>9704 A60C B4BE A8B8 0F30 9205 5D7E 4952 3F65 7898

On Tue, Sep 8, 2020 at 4:19 PM Fabio Valentini <decathorpe(a)gmail.com&gt; wrote: For those who are willing to help out, is https://pagure.io/java-maint-sig/issues the place to go to figure out what needs to be done? Is there any kind of TODO list or wishlist elsewhere? You've mentioned having some kind of script that rebuilds the Java world to check for issues relating to package updates. Is that available to the public? How long does it take to run (and on what hardware do you run it)? Speaking of helping out, if anybody wants mockito 3.x in Fedora, here is a pull request to do just that: https://src.fedoraproject.org/rpms/mockito/pull-request/2 -- Jerry James http://www.jamezone.org/

On Thu, Sep 10, 2020 at 12:43 AM Alexander Scheel <ascheel(a)redhat.com&gt; wrote: (snip) Yeah, those are the high-level tasks I'm tracking. There's also a kanban board for individual, smaller tasks: https://teams.fedoraproject.org/project/java-package-maintainer-sig/kanban And if you're feeling old-fashioned, this is a custom bugzilla search for SIG bugs: https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&classific... I did not. The data was largely maintained manually, and it was too big a time sink to keep around. I see the kanban board as a replacement for the backlog. I intend to also push the scripts to the java-maint-sig pagure repo eventually. I just haven't gotten around to do that yet. Fabio > There is also: > > > HTH, > Alex > > > Speaking of helping out, if anybody wants mockito 3.x in Fedora, here > > is a pull request to do just that: > > https://src.fedoraproject.org/rpms/mockito/pull-request/2 > > -- > > Jerry James > > http://www.jamezone.org/ > > _______________________________________________ > > devel mailing list -- devel(a)lists.fedoraproject.org > > To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > _______________________________________________ > devel mailing list -- devel(a)lists.fedoraproject.org > To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Hi all, I'm writing as the Red Hat engineering manager responsible for Maven and Ant in RHEL, and on behalf of Mikolaj Izdebski and Marian Koncek from my team.  I want to give a broad response to some of the points here: 1.  The team has two missions in Fedora: a) We deliver, maintain and support Ant and Maven in Fedora. Our aim is to provide developers with the most popular Java build systems which are reviewed, tested, and updated through the release lifecycle.  b) We design, develop and document tooling that enables anyone to package Java software with a simple, efficient and scalable process. We are also active members of Java SIG, collaborating on complex changes and guiding new contributors. 2.  We are committed to maintaining the Ant and Maven modules in Fedora.  We have always expected to make them available as default streams and in the buildroot so they can be available and consumed by non-modular packages, but we completely respect the decisions of FESCo to disallow default streams and of other contributors to adopt and maintain the non-modular packages.  We are not going to promise to commit time and resources to maintain the non-modular packages. 3. Our efforts are currently directed mainly at minimization of the dependency tree which leads to maven and ant, automating the process of bootstrapping maven and updating related components, so that new versions can be imported and built reproducibly and with consistent quality. 4. The benefit we want to preserve from modules is to maintain packages with varying expectation of quality, specifically separating the build-time-only vs runtime dependencies.  e.g. in that case that a web server like Eclipse Jetty is required as a dep for testing another component during the build, we want to be able to use and build that component, without being indefinitely on the hook for security errata.  (The build dependency tree is particularly complex for Maven and involves many examples of packages with frequent and high severity vulnerabilies) Regards, Joe

On Thu, Sep 10, 2020 at 3:29 PM Dominik 'Rathann' Mierzejewski <dominik(a)greysector.net&gt; wrote: Javapackages is the main project that provides Java packaging tooling. I am maintaining it both upstream [1] and in Fedora, also as ursine package [2]. All Fedora packages shipped to users are expected to be high-quality and well maintained, which may impose a very significant burden on maintainers. But for build-only packages (packages are used only during build, not shipped to users), many of package maintainer responsibilities [3] can be reduced to almost nothing. For example "manage security issues" means triaging them and fixing only very small subset of them (since user can't install the packages, most of vulnerabilities are not exploitable), "deal with reported bugs" means closing them NOTABUG as users can't possibly install the package in a "supported" way, "track dependency issues" duty is reduced as nothing non-modular can depend on the package, and so on. [1] https://github.com/fedora-java/javapackages [2] https://src.fedoraproject.org/rpms/javapackages-tools [3] https://docs.fedoraproject.org/en-US/fesco/Package_maintainer_responsibil...

On Thu, Sep 10, 2020 at 01:50:55PM +0100, Joe Orton wrote: What are you doing different in terms of supporting deps in the module that reduces the security errata burden, compared to non-modular builds ? It feels like if we have some policy that is creating unsustainable maint burden wrt non-modular packaging, we should re-examine this policy rather than trying to workaround it by going modular, which creates a different kind of maint burden. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

On Thu, Sep 10, 2020 at 4:04 PM Petr Pisar <ppisar(a)redhat.com&gt; wrote: +1 That is very well put, thanks Petr for explaining it in detail.

On Thu, Sep 10, 2020 at 4:35 PM Tomasz Torcz <tomek(a)pipebreaker.pl&gt; wrote: Modules can be built locally with "fedpkg module-build-local", which downloads required dependencies from Koji and installs them in mock chroot. These packages are not installed directly (outsides of chroot) on users systems.

On Thu, Sep 10, 2020 at 04:03:46PM +0200, Petr Pisar wrote: So conceptually, one way we can solve this problem by implementing a way to mark certain non-modular RPMs as "build root only" packages and thus composing them into a separate "build root" yum repo, that is not enabled by default except in the build system. Modularity is being used because it is the only solution that is available today, not because it is a good/desired solution. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

On Thu, Sep 10, 2020 at 01:37:41PM -0400, Neal Gompa wrote: We already have this feature in Fedora via Modularity. If it is unacceptable for Fedora, we shouldn't do it in modules either, while if it is acceptable, then we should allow it for non-modular content. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

On Thu, Sep 10, 2020 at 7:31 PM Daniel P. Berrangé <berrange(a)redhat.com&gt; wrote: Yes. This can also be achieved with on-demand side tags that are already implemented: "build-only" packages are built in a sidetag and untagged before sidetag is merged. They never appear in release tags and they are not shipped to users. Builds can be reproduced locally in mock with configs generated by "koji mock-config" command. Right. Modularity is definitely not the best solution, and IMHO it definitely has worse user experience compared to ursine packages. Modularity is used because it was the only solution available at the moment the decision (to modularize Maven and Ant) was made. Since then an alternative solution was developed, but we haven't decided to switch back to ursine packages yet, although we are considering that.

On Thu, 10 Sep 2020 at 13:31, Daniel P. Berrangé <berrange(a)redhat.com&gt; wrote: The problem is that you may need differing packages for your 'build-root'. This means that someone has to determine if your buildroot only has foobar-1.2-3 or foobar-2.3-4 which are neither wanted to be in the buildroot but unison-2.1 needs one and unison-2.2 needs the other. [Or some toolkit where to get to the next version you need to compile a version before the one you have with different yacc/etc and then need the next version to finish the build.] The more fundamental problem is that everyone assumes that if it lives in the buildroot only.. it magically doesn't have any bugs which can cause problems with a package being compiled by it. Instead it is now a package which no one can easily inspect to see that XYZ app is dumping core because your buildroot only yacc is a recycled road apple. -- Stephen J Smoogen.

Hi Joe, On Thu, Sep 10, 2020 at 8:52 AM Joe Orton <jorton(a)redhat.com&gt; wrote: As a reminder (as in my RHEL devel-list reply): there are no default module streams in Fedora. There is also no Ursa Major/Prime, so were they to exist, there would still be no way for non-modular packages to use them. This makes the artifacts produced here useful only to other modules. Non-modular packages maintained by other Red Hatters, like Eclipse and Dogtag PKI cannot use these artifacts. Both of these stacks have tried to modularize in Fedora but ultimately remained non-modular.

On Thu, Sep 10, 2020 at 10:11 AM Aleksandar Kurtakov <akurtako(a)redhat.com&gt; wrote: Mat Booth (also from the Eclipse team!) still actively helps out with this packaging as RPMs and we thank him for his efforts while they last. :-) But Flatpak isn't suitable for everyone--it isn't great for servers like Dogtag and IdM for instance. So we still need RPM packaging around for that. Also, does that mean Eclipse won't be in RHEL-9? So far it looks like it is not rebuilt for ELN so it seems likely it won't be. https://koji.fedoraproject.org/koji/packageinfo?packageID=183 - Alex

On Thu, Sep 10, 2020 at 5:54 PM Vitaly Zaitsev via devel < devel(a)lists.fedoraproject.org&gt; wrote: As I've been involved in ant/maven packaging for a decade or so I would dare to say that this is not the truth. It just exposed the fact that less and less people were actively maintaining things as most of the people that used to do it moved on to other things and the number of new people that joined is quite low. So the burden on people left is bigger and bigger. -- Alexander Kurtakov Red Hat Eclipse Team

On 10. 09. 20 16:53, Vitaly Zaitsev via devel wrote: It did. -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok

On Fri, Sep 11, 2020 at 10:56 PM Jie Kang <jkang(a)redhat.com&gt; wrote: The FESCo ticket is here: https://pagure.io/fesco/issue/2406 Specifically, the decisions are documented in this comment: https://pagure.io/fesco/issue/2406#comment-658315 The relevant one being the unanimous decision to ban modular-only packages: "AGREED: Modular-only packages are not allowed and modular versions are only [to] be allowed as alternatives to non-modular packages. (+9, 0, -0)" Hope that helps. Fabio

On Thu, Sep 10, 2020 at 10:54 AM Vitaly Zaitsev via devel <devel(a)lists.fedoraproject.org&gt; wrote: Flat*hub* is third party, but we have first-party flatpaks at registry.fedoraproject.org. The flatpak package adds it as a remote via /usr/lib/systemd/system/flatpak-add-fedora-repos.service -- Ben Cotton He / Him / His Senior Program Manager, Fedora & CentOS Stream Red Hat TZ=America/Indiana/Indianapolis

I totally agree Ciao Guido

Mikolaj Izdebski <mizdebsk(a)redhat.com&gt; writes: Fedora 31 is most likely EOL in about two months. I really hope you're not targeting your future development against it. Thanks, --Robbie

On Thu, Sep 10, 2020 at 09:59:05PM +0000, Zbigniew Jędrzejewski-Szmek wrote: You are right that bundling is one of the features of Modularity and that this freedom undermines an integration effort on the Fedora distribution level. But bundling is not the only appeal for Maven maintainers. If I can speek for Mikolaj, then another appeal is sharing a module among multiple Fedora releases. Because byte-compiled Java code is portable, it is possible to build a module on Fedora 31 and have the same module build available on Fedora 34. This saves the module maintainers from the burden of rebuilding the Java packages for each Fedora and Modularity is the first place that actuallty can leverage this Java feature. Not really. Modules are collections of packages and various modules can share the sources of the same packages. That means that Modularity does not prevent from sharing a maintenance cost of the packages. It only makes it more difficult, because of worse discoverbility and a wider selection of the choice. Sarcasm: I really like how other one people order other ones that they have to maintain the packages for them. -- Petr

Dne 11. 09. 20 v 8:43 Petr Pisar napsal(a): While the idea of sharing between Fedora is nice, it won't work in practice. There is more then just "byte-compiled Java code is portable". This allows you to ship certain set of the packages, but it won't allow you to easily update any single package. You have always consider the API changes, dependency changes and if the update of the package, which you would do on Rawhide and would be perfectly fine, won't break other parts of F31 ecosystem. The choice is not any easier. If on the other hand the F31 was left in the state when it was branched + applying fixes, the Rawhide would be free to update the packages. Not mentioning that keeping the one set of packages is possibly against the idea of Fedora update policy [1]. Vít [1] https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/

Thank you for describing the entire story from your pov, I think it's very helpful! On 11. 09. 20 9:34, Mikolaj Izdebski wrote: I guess there are two sides of this: - the lost features Can you work together with the new Java maint SIG to have those features integrated in the nonmodular packages? - the lost years While sad I believe that at a certain point, we need to be able to admit that the years are lost in order to save ourselves from loosing even more years. This is a very important aspect in accepting that modularity in Fedora was a failure. If we don't do this, we'll keep failing. -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok

On Thu, Sep 10, 2020 at 01:50:55PM +0100, Joe Orton wrote: Joe, here's a part I hope you can help me understand better. Modularity isn't an entirely new packaging technology. It's simply a layer on top of RPM. Modules are made out of RPMs, and by design, their specfiles are exactly the same as RPMs which happen to be grouped into modules. I understand that it's nice to have exactly one workflow, but it doesn't seem like it's actually all that much extra effort on top of what you already have to do to maintain the module to make a non-modular build. Is this something where triggering the non-modular builds in the same way you build the module would make a difference? Or is there something else that I'm not seeing? -- Matthew Miller <mattdm(a)fedoraproject.org&gt; Fedora Project Leader

On Fri, Sep 11, 2020 at 10:16:02AM +0200, Mikolaj Izdebski wrote: Whoha! Let's step back for a minute and look at this example. What are the reasons to run tests? To make sure the package will run correctly.. Why run tests on 12-years old version instead of on current one? Probably because tests fail on current version? Will the end user run the package on obsolete Tomcat or on the current one? Of course on the current one. The one on which tests fail. Tests in this case are worthless, they are not testing the real situation. Disabling tests is no worse than testing on obsolete version. Relying on such tests is a disservice for the end user. The point of testing is to validate code in real situation. Crafting special, unrealistic environment (12 years old Tomcat) just to have test pass is missing the point of tests. -- Tomasz Torcz There exists no separation between gods and men: tomek(a)pipebreaker.pl one blends softly casual into the other. — Frank Herbert

On Fri, Sep 11, 2020 at 11:54 AM Tomasz Torcz <tomek(a)pipebreaker.pl&gt; wrote: Well, you do realize how much not feasible it is for the Fedora maintainer of hundred packages to go out and not only fix the builds, bugs, CVEs and etc. but even the tests for all these packages. The unrealistic expectations for what package maintainer should do is really not helping growing that number. -- Alexander Kurtakov Red Hat Eclipse Team

On Fri, Sep 11, 2020 at 2:02 PM Adam Williamson <adamwill(a)fedoraproject.org&gt; wrote: Thank you for making these points. These are my thoughts *exactly*. As a newcomer to packaging, I was willing to start helping out with those packages that I depended on, to bring them up to speed, and it was relatively easy to take on a few, because everything was out in the open. But once things started getting retired (at a pace I couldn't keep up with), even though they were still technically maintained in some hidden world that I didn't understand, I was completely turned off from helping out with more of the dependencies that my Java projects required and had to retire my Java packages as well. I would go further to suggest that poorly-maintained libs like these are perfect opportunities for mentoring new people and community growth. FWIW, every year in October, for the past several years, Digital Ocean and GitHub have teamed up to sponsor "Hacktoberfest" (I've participated, but am not affiliated with either of them at all). Projects label their issues with a "Hacktoberfest" or "Good first issue" or "Help Wanted" label, and people from all over the world contribute to projects with such labels... projects they've never contributed to before... it's a great outreach program for open source. I understand the reasons against using GitHub for our package sources, but imagine if we took our poorly-maintained projects, and instead of retiring them, we used them for such opportunities? Imagine how much more awesome Fedora could be! I'd much rather have a bunch of outdated Java libs laying around in a world where such opportunities existed with a low bar to entry, than to have a smaller set of up-to-date packages with fewer such opportunities, and a higher bar to entry. > -- > Adam Williamson > Fedora QA Community Monkey > IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net > http://www.happyassassin.net > _______________________________________________ > devel mailing list -- devel(a)lists.fedoraproject.org > To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

On Thu, 17 Sep 2020 at 12:53, Matthew Miller <mattdm(a)fedoraproject.org&gt; wrote: Those packages get bugs and bugzilla is a monkey on the back of every packager.. having a ton of packages which you know you aren't going to fix but are still going to get bugs on with the conversation going like: 'its broke' 'yes I know its broke.. I just need the header files' 'well I need it to work' 'well fix it yourself' 'no that is your job.. it says you OWN THE PACKAGE'. 'I just own it to build foobar' 'too bad.. i am taking this to lwn/slashdot/twitter/reddit' I think that if we are going to have 'extra' packages which are needed for 'core' packages, we should be explicit and own the fact that this 'package everything for everyone' only worked when working on Operating Systems was 'hot' and has been replaced with cloud, containers, and whatever other sugar coated candy cereal people have to have with a toy inside these days. -- Stephen J Smoogen.

On 18/9/20 03:43, Matthew Miller wrote: IMO this should be done before the bug is created. You can set the default bug description template for the component to a template with this message in it. It probably needs to be reflected in other UIs related to Fedora packaging, so it should be tracked somewhere and when the fedora bot updates the component details in Bugzilla it could change the default description template to match the update policy. There might have more than 2 states for this. Cheers, Jeff.

Matthew Miller wrote: That is a pretty strong assertion, with no facts to back it. I think that packagers are more likely to be driven away by changes such as Modularity that make packaging more and more complex, or even by the very fact that the dependencies they need were taken private by their maintainer, than by the very reasonable minimum standard we want to hold our packagers to. A private dependency is necessarily a form of technical debt that is inevitably going to hurt us as soon as we want to package something else that happens to depend on that same dependency. (Unless of course the dependency really cannot be used for anything else than building that one dependent package, in which case nobody is going to expect the maintainer to make it work for anything else even if it is public, so that trivial case need not be considered any further.) Hence, this risks driving away the people who would be packaging the other dependent packages if the dependency was readily available to them. And that is just the impact on packagers. You also have to consider the impact on end users. Do not forget that most packagers were users before becoming packagers. Hiding packages from users or labeling them as officially unsupported is going to make Fedora less attractive to users, which in turn will lead to fewer people potentially becoming packagers. Kevin Kofler

On Thu, Sep 17, 2020 at 12:51:46PM -0400, Matthew Miller wrote: Do you mean literally a README file under /usr/share/doc/${PACAKGE}/ directory? That won't work, because nobody looks there. Either the package should be moved into a separate repository that an end user have to explicitly enable and later can inspect an origin of the package with "dnf info $PACKAGE", or the package should not be distributed at all. Pungi tool that produces the distribution composes supports it. It's only a matter of configuration. (Or we can invent a new RPM tag for a support level of the package.) -- Petr

On Fri, Sep 18, 2020 at 12:21:15PM +0200, Dominik 'Rathann' Mierzejewski wrote: Do you think that package users consult dist-git before reporting a bug? I think the idea with a template in Bugzilla was better. Moreover that file was supposed to display a source package description on all possible places (and originally was supposed to automatically updated from SRPM packages, but that was never implemented). At the end a packager can put the notice into %description of the spec file. I sometimes document there how the files are distributed among the subpcackages. -- Petr

On Fri, Sep 18, 2020 at 5:30 PM David Cantrell <dcantrell(a)redhat.com&gt; wrote: (snip) I completely agree. The only way to move forward is to make maintenance of shared parts of the stack a collaborative effort. Just to clarify, the Stewardship SIG now maintains zero packages. The handful of NodeJS packages we had were either dropped or adopted by somebody else ages ago. All Java packages were moved into the "rebirthed" Java SIG. Yes. That's kinda the reason I "restarted" the effort for a Java SIG? The initial progress (then still under the Stewardship SIG umbrella) was slow - because almost everything was old and broken - but now, the Java stack is in *much better shape*. Arguably, it is in better shape than it had been for years, being ~75% up-to-date with upstreams now, with *zero* FTBFS issues for f32+, and *zero* open CVEs in the core stack. We already did the hard work of keeping everything from exploding. Now it's mostly back to normal, boring package maintenance. This is also conducive for getting new people involved with the Java SIG. The barrier of entry is much lower now, since not everything is broken left and right, but actually surprisingly pleasant to work with. Making incremental changes and updates is much easier when the stack is in good shape ... I've also been seeing an increasing number of contributions (and contributors) over the past months. It turns out, some of our packages are depended on by basically the entire distro (including libreoffice, FreeIPA, libvirt, qemu, etc.) so packagers are actually interested in keeping things working, now that the stack is not threatening to implode any day. Fabio > If I am using a package as a build dep and find it's outdated or > broken in some way, I can fix it and send a PR in Pagure to update it. > The maintainer can review and merge that or at least start a > discussion with me on the why and how of the change. I haven't had to > take complete ownership of that package, but just spent the time to > fix the problem I saw. For packages in a less than bleeding edge > ultra stable state, my main concern is that they are functional rather > than latest version. I suspect many of us also prefer that for build > deps in most cases. > > Maybe in addition to a per-package README, a broader communication of > this process to the community as well as providing a link to open bug > queries for packages would be useful for work similar to the "kernel > janitors" type work for the kernel. Lots of stuff has to be done on > an ongoing basis and everyone can chip in from time to time. We could > consider a standard doc name like "MAINT" or something in the package > that describes the specifics regarding maintenance in Fedora. > > Thanks, > > -- > David Cantrell <dcantrell(a)redhat.com&gt; > Red Hat, Inc. | Boston, MA | EST5EDT > _______________________________________________ > devel mailing list -- devel(a)lists.fedoraproject.org > To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Hi, First of all a big thank you to everyone involved in the discussion for the constructive discussion. I agree that the situation around java packaging is quite worrying and I'm happy to see that people are trying to come up with a pragmatic solution to the current deadlock situation. On 9/11/20 10:16 AM, Mikolaj Izdebski wrote: <snip> <snip> Allow me zoom in on some of the examples you give here. I realize they are just examples but maybe we can extract some patterns from them and come up with solutions to allow you to maintain the and and maven stacks inside the ursine package collection, without increasing your workload. So for this tomcat needed for testing problem, I'm thinking that we might solve this in a very non Fedora way. Why not bundle the old tomcat-sources with the sources which need it for their test-suite (and build it before running the tests). I realize that this is ugly; and if many packages need this old tomcat it will not scale (but I hope that is not the case). Despite those disadvantages I believe that this would be a good solution. The reason why I'm thinking in this direction is as follows: Like others, I'm very much against the notion of buildroot only packages, esp. the side-tag idea is terrible as it makes rebuilding the package from source very hard for end users. To me Fedora would not be Fedora if users can easily rebuild their packages. Bundling the old tomcat sources, so that the test-suite can run, without that old tomcat ever getting installed on the users system, to seems like a decent workaround for the issue of the tests depending on this old tomcat. So if you say that you only need the minimal Ant, and I guess many packages only need the minimal Ant to build, then why not have an ant-minimal package, like we have a vim-minimal ? Now I guess that vim-minimal and "proper" vim are both build from the same source-rpm; and normally we never allow 2 srpms with the same upstream sources in them. But I think that in this case we could make an exemption where there is a separate pkg-git and srpm for an ant-minimal which you would maintain. And then the community / java-sig can maintain the full Ant as I believe is already happening since we do have an ant packaged in Fedora 33 atm. I hope that these 2 examples show that at least in some cases we may be able to come up with creative solutions for the problems involved in java packaging. ### An other more generic approach which has been brought up once or twice, but which not really has been discussed in much detail yet I believe is creating a fedora-builddep repository. ATM a normal user has 3 ursine Fedora repos installed: fedora fedora-updates fedora-updates-testing (disabled by default) What if we add a 4th repo called fedora-builddep: fedora fedora-updates fedora-updates-testing (disabled by default) fedora-builddep (rolling (within a release), disabled by default) So the idea is that all the maven deps which you need, but do not want to offer any end-user support on would go to fedora-builddep. Taking Fedora 33 as an example then: 1) The fedora-33-buildroot pkg-set would consist of fedora-33 + fedora-33-updates + fedora-33-builddep 2) When you build a newer package in the fedora-33-builddep tag (which uses the fedora-33-buildroot) it will automatically get added to the fedora-33-builddep compose right away, that is what I mean with fedora-builddep being rolling. I think that this gives you the builddep only packages which you want, while still allowing end-users to easily rebuild things (users only need to enable the -builddep repo). Then the main thing which we need on top of this is to very clear communicate what sort of expectations users can have wrt support and esp. wrt security updates from packages in the builddep repo and make sure that that message comes across. We will of course need to define some procedures surrounding this: 1. Packages in fedora-x + fedora-x-updates may not have any runtime deps on packages in fedora-x-builldep is the most obvious ones 2. We will need a small procedure for moving packages from fedora-x + fedora-x-updates to fedora-x-builddep, so that they get removed by dnf for people who do not have fedora-x-builddep enabled. Basically a builddep version of the fedora-obosolete-packages metapkg. But lets not get too much into details right now. Mikolaj do think that having such a fedora-builddep repo (combined with e.g. ant-minimal for the "API packages" part of things) could work for you ? Regards, Hans

Hi, On 9/11/20 12:47 PM, Vít Ondruch wrote: It doesn't the purpose of my email was to look for ways to get the modular ant/maven repos work moved back into ursine without increasing the workload for the maintainers of those modular repos. So the way to look at this, is does it increase workload, and AFAICT it does not increase workload, while it would allow us to fold the work being done in the modular repos back into the ursine repo (for the ant example at least). Alternatively if we fold that work back into the ursine repos, then the modular builds could start relying on the full-blown ant build maintained by the java-SIG in the ursine repos and drop their own ant-minimal, at which point it would reduce the workload for the maintainers of the modular repos. My idea behind having a separate ant-minimal is that they then can ensure that that is new enough and otherwise matches their needs without relying on the full-blown version, but actually somply switching to the full-blown java-SIG maintained version might be better. Regards, Hans p.s. I would not mind picking up maintenance of 1 or 2 of the less frequently changing java packages (*) if that helps. I wonder how much more people there are like me who care enough about java to be willing to put some work in (but not lots of work) ? Perhaps it would be a good idea for the java-SIG to make a list of easy to maintain (for an experienced packager) pkgs which could use a new primary maintainer. I realize maintaining the entire stack is a team effort, so the rest of the java-SIG will of course be/stay a co-maintainer of these. But having things like rebasing to latest upstream, or just addressing bugzillas taken care of mostly by a new primary maintainer who is willing to pick up some packages might help reduce the load ? The idea here is for someone (e.g.) me to NOT jump in now, do a bunch of work to help out and then disappear again. Instead I would invest say 1-2 hours every 2 weeks, which may not seem much but over time adds up and if we can get more people to do this, then maybe we can spread the load of the java packages in the ursine repos better ? *) But definitely not the entire stack

Hi, On 9/11/20 6:08 PM, Fabio Valentini wrote: Yes that sounds great. I would be happy to pick up a few of those to help and if a bunch of us do that hopefully we can lighten the load a bit. Regards, Hans

Hi, On 9/14/20 5:05 PM, Fabio Valentini wrote: Thank you for making this list. I'm afraid that I don't really see anything which really appeals to me to pick-up there, sorry. Still hopefully some others will find this list helpful. Regards, Hans

On Fri, 11 Sep 2020 at 07:27, Mario Torre <neugens(a)redhat.com&gt; wrote: The issue is that like https://xkcd.com/2347/ you need that software for a couple dozen other things which may have no obvious relation to it. You start pulling a large number of packages and people start screaming that you are killing their need for using Fedora. that then puts pressure on someone else to try a herculian task of keeping that package in. Or you find out that this java package is getting pulled in for say a test suite in rust and you have to pull the browser, mail client and dozen other things out because of that. You might say "well I will maintain it until that test gets pulled out" and then you find out a dozen other software tools now need it because they saw Mozilla used it so it must be ok. As the back of the bottle says "rinse, lather, repeat". The bigger problem is that the software we ship has gotten more complicated and interdependent over the last decade while the number of packagers who can deal with that complexity has not grown. You can't bring in a newbie to take over part of some of these stacks because it reverberates through a hundred other packages without knowing it. Personally I think the real problem are we are constantly trying to square the circle. 1. we insist on trying to keep everything in one repository and hope that some patched up depsolver can 'theoretically fix it for us' so we never have an Extras/Core debacle again. 2. we put incredible pressure on maintainers and the project as a whole to have ALL the software and not dropping anything even when it is clear it doesn't work in a bundled with the OS format. 3. Never admitting that we messed up in the past but keep pushing through assuming that by god our mighty brains can eventually solve these conundrums. This may sound like a dig about modularity but it is much more about admitting that the Java maintainer complaints in 2006-> 2009? about treating Java like C in packaging was going to lead to no one maintaining it and it falling apart. The same problem is running through the Node community, the Erlang community, etc etc. In the end we have a bunch of rules to try and make a camel like a horse and then wonder why we keep getting spat on by our 'horses'. -- Stephen J Smoogen.

On Fri, Sep 11, 2020 at 5:52 PM Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl&gt; wrote: I'm not sure making things available only at build-time is going to help things. It's just "Modularity under a different name" ... Most Java packages are either directly or indirectly depended on by non-build-tool packages as well. You'd be surprised. Most of the distro directly or indirectly depends on the Java stack already - including the libvirt stack, libreoffice, some GNOME components, KDE components, etc. So most of those Java packages can't be built-time-only packages because they're actually required at runtime. The number of packages that are *really only ever needed to build other RPM packages and for no other reasons* is rather small. Fabio

What Fabio just mentioned was that the current use case for a build-time only package is invalid. A lot of packages Mikolaj is trying to get build-time only (via modules) are still maintained by the Java Maintenance SIG because they're required by other packages. Allowing them to be build-time only results in the entire ecosystem crumbling. If they're retired, the ecosystem crumbles too. Same result either way. That's why the Java Maintenance SIG was built: so that it can be more than one person working on these packages. - Alex On Fri, Sep 11, 2020 at 12:44 PM Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl&gt; wrote:

On Sat, Sep 12, 2020 at 10:32:51AM +0200, Vitaly Zaitsev via devel wrote: The packages *would* be trivially installable. I didn't say that explicitly, but you would always be able to install a package that has "Provides:fedora-build-time-only" and then install any such packages on any system. (That is how they would installed in mock or koji too.) Zbyszek

On 11.09.2020 10:16, Mikolaj Izdebski wrote: IMO, this is a very bad practice. I maintain a lot of C++ header-only libraries, needed to build other packages and this is fine. Everyone can use them without bundling into their own packages. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)