Dne 06. 10. 21 v 7:08 Michal Srb napsal(a):
Hi folks,
@Matthew Miller <mailto:mat...@redhat.com> Are you still trying to 
save Fedora from packaging the ocean? :)
On Mon, Oct 4, 2021 at 9:10 PM Fabio Valentini <decatho...@gmail.com> 
wrote:
    On Mon, Oct 4, 2021 at 8:49 PM Matthew Miller
    <mat...@fedoraproject.org> wrote:
    >
    > On Mon, Sep 27, 2021 at 03:09:08PM +0200, Mario Torre wrote:
    > > I'm not sure what's the best solution, but I guess the number one
    > > reason to have packages within the Fedora distribution is for
    a matter
    > > of trust, if this is the case I would argue that a curated list of
    > > maven packages served via a Fedora managed repository would be a
    > > better investment.
    >
    > I'd love to see someone interested in this pursue this idea! I
    know we
    > talked about it as long ago as... Flock Prague... and probably
    before.

    This approach will buy you *literally nothing* compared to how things
    already work, assuming you don't advocate just redistributing binary
    artifacts / JARs from Maven Central.

    Given that assumption, JARs would still need to be built 1) from
    source, in a 2) trusted environment, 3) against trusted dependencies,
    as I don't think any other approach should be acceptable for content
    distributed by the Fedora Project.


    But then you're back to *exactly how Fedora packages for Java projects
    already work* - only with the added complication that distributing
    those build artifacts as plain JARs instead of RPMs now makes them
    impossible to consume as dependencies from other RPM builds.


I think it would actually make a huge difference.

Unlike RPM repositories, Maven repositories can easily hold multiple versions of libraries.

RPM repositories can hold multiple version of libraries as well. This is self inflicted limitation of Fedora, because once you have multiple versions of libraries, you should also fix (security) bugs in those versions. And this is where it starts to be complicated.

Vít


Once a JAR is built, the resulting bytecode will work with current and future JVMs. There is no need to mass-rebuild JARs every 6 months. And there is certainly no need to try to run every single Java application with a single "system-wide" version of a library.
Fedora could ship just Java applications that would bundle JARs 
(whatever version they need) from the Fedora Maven repository. I don't 
see this as a problem, as long as it would be possible to track what 
JARs are bundled in what application.
Fedora maintainers could then focus on maintaining applications, and 
not maintaining a ton of individual libraries that nobody really cares 
about that much.
Thanks,
Michal


    Fabio
    _______________________________________________
    devel mailing list -- devel@lists.fedoraproject.org
    To unsubscribe send an email to devel-le...@lists.fedoraproject.org
    Fedora Code of Conduct:
    https://docs.fedoraproject.org/en-US/project/code-of-conduct/
    List Guidelines:
    https://fedoraproject.org/wiki/Mailing_list_guidelines
    List Archives:
    https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
    Do not reply to spam on the list, report it:
    https://pagure.io/fedora-infrastructure


_______________________________________________
devel mailing list --devel@lists.fedoraproject.org
To unsubscribe send an email todevel-le...@lists.fedoraproject.org
Fedora Code of 
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List 
Archives:https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report 
it:https://pagure.io/fedora-infrastructure
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to