Hi folks, @Matthew Miller <mat...@redhat.com> Are you still trying to save Fedora from packaging the ocean? :)
On Mon, Oct 4, 2021 at 9:10 PM Fabio Valentini <decatho...@gmail.com> wrote: > On Mon, Oct 4, 2021 at 8:49 PM Matthew Miller <mat...@fedoraproject.org> > wrote: > > > > On Mon, Sep 27, 2021 at 03:09:08PM +0200, Mario Torre wrote: > > > I'm not sure what's the best solution, but I guess the number one > > > reason to have packages within the Fedora distribution is for a matter > > > of trust, if this is the case I would argue that a curated list of > > > maven packages served via a Fedora managed repository would be a > > > better investment. > > > > I'd love to see someone interested in this pursue this idea! I know we > > talked about it as long ago as... Flock Prague... and probably before. > > This approach will buy you *literally nothing* compared to how things > already work, assuming you don't advocate just redistributing binary > artifacts / JARs from Maven Central. > > Given that assumption, JARs would still need to be built 1) from > source, in a 2) trusted environment, 3) against trusted dependencies, > as I don't think any other approach should be acceptable for content > distributed by the Fedora Project. > > But then you're back to *exactly how Fedora packages for Java projects > already work* - only with the added complication that distributing > those build artifacts as plain JARs instead of RPMs now makes them > impossible to consume as dependencies from other RPM builds. > I think it would actually make a huge difference. Unlike RPM repositories, Maven repositories can easily hold multiple versions of libraries. Once a JAR is built, the resulting bytecode will work with current and future JVMs. There is no need to mass-rebuild JARs every 6 months. And there is certainly no need to try to run every single Java application with a single "system-wide" version of a library. Fedora could ship just Java applications that would bundle JARs (whatever version they need) from the Fedora Maven repository. I don't see this as a problem, as long as it would be possible to track what JARs are bundled in what application. Fedora maintainers could then focus on maintaining applications, and not maintaining a ton of individual libraries that nobody really cares about that much. Thanks, Michal > > Fabio > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
