Dne 06. 10. 21 v 7:08 Michal Srb napsal(a):
Hi folks,
@Matthew Miller <mailto:mat...@redhat.com> Are you still trying to
save Fedora from packaging the ocean? :)
On Mon, Oct 4, 2021 at 9:10 PM Fabio Valentini <decatho...@gmail.com>
wrote:
On Mon, Oct 4, 2021 at 8:49 PM Matthew Miller
<mat...@fedoraproject.org> wrote:
>
> On Mon, Sep 27, 2021 at 03:09:08PM +0200, Mario Torre wrote:
> > I'm not sure what's the best solution, but I guess the number one
> > reason to have packages within the Fedora distribution is for
a matter
> > of trust, if this is the case I would argue that a curated list of
> > maven packages served via a Fedora managed repository would be a
> > better investment.
>
> I'd love to see someone interested in this pursue this idea! I
know we
> talked about it as long ago as... Flock Prague... and probably
before.
This approach will buy you *literally nothing* compared to how things
already work, assuming you don't advocate just redistributing binary
artifacts / JARs from Maven Central.
Given that assumption, JARs would still need to be built 1) from
source, in a 2) trusted environment, 3) against trusted dependencies,
as I don't think any other approach should be acceptable for content
distributed by the Fedora Project.
But then you're back to *exactly how Fedora packages for Java projects
already work* - only with the added complication that distributing
those build artifacts as plain JARs instead of RPMs now makes them
impossible to consume as dependencies from other RPM builds.
I think it would actually make a huge difference.
Unlike RPM repositories, Maven repositories can easily hold multiple
versions of libraries.
RPM repositories can hold multiple version of libraries as well. This is
self inflicted limitation of Fedora, because once you have multiple
versions of libraries, you should also fix (security) bugs in those
versions. And this is where it starts to be complicated.
Vít
Once a JAR is built, the resulting bytecode will work with current and
future JVMs. There is no need to mass-rebuild JARs every 6 months. And
there is certainly no need to try to run every single Java application
with a single "system-wide" version of a library.
Fedora could ship just Java applications that would bundle JARs
(whatever version they need) from the Fedora Maven repository. I don't
see this as a problem, as long as it would be possible to track what
JARs are bundled in what application.
Fedora maintainers could then focus on maintaining applications, and
not maintaining a ton of individual libraries that nobody really cares
about that much.
Thanks,
Michal
Fabio
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
devel mailing list --devel@lists.fedoraproject.org
To unsubscribe send an email todevel-le...@lists.fedoraproject.org
Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report
it:https://pagure.io/fedora-infrastructure
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure