On Wed, Oct 6, 2021 at 2:39 PM Mikolaj Izdebski <mizde...@redhat.com> wrote: > > On Mon, Oct 4, 2021 at 8:50 PM Matthew Miller <mat...@fedoraproject.org> > wrote: > > > > On Mon, Sep 27, 2021 at 03:09:08PM +0200, Mario Torre wrote: > > > I'm not sure what's the best solution, but I guess the number one > > > reason to have packages within the Fedora distribution is for a matter > > > of trust, if this is the case I would argue that a curated list of > > > maven packages served via a Fedora managed repository would be a > > > better investment. > > > > I'd love to see someone interested in this pursue this idea! I know we > > talked about it as long ago as... Flock Prague... and probably before. > > That's a very old idea that has been partially implemented years ago, > but never approved for use in Fedora. Maven artifacts can be built in > Koji (there is an existing "koji maven-build" command). Once built > they appear in a "curated" Maven repository hosted on Koji, that can > be synced to mirrors, from where users can consume it. Consumers of > this Maven repository don't need to be running Fedora, not even Linux. > > Curated Maven repository contains additional metadata, eg. CVEs > affecting given artifact version, whether upstream is active, whether > given artifact is available in Fedora and in which releases, etc. For > each Fedora Linux release there is an auto-generated BOM (bill of > materials POM) listing artifacts available in the release. > > Binaries from this trusted/curated Maven repository can also be > wrapped into RPMs (using "koji wrapper-rpm" command) and put into > distribution repos and composes. Other packages can depend on such > RPMs. This is a hybrid packaging model, where some Java RPM packages > can be built in the traditional way (where code is compiled during > rpmbuild) and some are built elsewhere, and only wrapped in RPMs.
So the only thing left to do is to convince Mr. Fedora to approve this ;) Cheers, Mario -- Mario Torre Manager, Software Engineering, core OpenJDK Red Hat GmbH <https://www.redhat.com> 9704 A60C B4BE A8B8 0F30 9205 5D7E 4952 3F65 7898 _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
