> On Mon, Jun 10, 2024 at 11:57 PM Adam Williamson
> <adamwill(a)fedoraproject.org&gt; wrote:
> 
> You are right - I meant to say it was suspicious that these commits
> were only done in the f40 branch, but are not present in rawhide.
> Usually packages are worked on in rawhide *first* and then changes are
> merged or backported to stable branches.
> 
> Reading up on the bug, the situation with Julia does indeed sound like
> a major clusterf***.
> If Julia only supports running on top of the same versions of
> libraries that it was built against, maybe it needs to be rebuilt any
> time any of those libraries change?

It is more complex than that, because there is generally an FFI layer built 
into the Julia code, so if the API has changed at all for those libraries 
(which it did recently for SuiteSparse in a way that broke Julia), then parts 
inside Julia also need updating to match the new API.

> It also sounds like Julia packages are distributed as pre-compiled
> binaries? That seems like a major security issue if Julia is just
> downloading pre-compiled binaries from somewhere and running them ...

It is no more insecure than distributing RPM packages from mirrors in my view. 
They build all the binary packages using recipes from a GitHub repository here 
https://github.com/JuliaPackaging/Yggdrasil, and all the build logs are 
publicly viewable and build artifacts publicly downloadable for inspection. The 
binaries are then hosted as Julia packages in their own GitHub repo (in this 
org https://github.com/JuliaBinaryWrappers) with the binary artifacts attached 
as release artifacts. They also mirror them through packaging servers to 
distribute the load (so not everyone has to download from GitHub). So I don't 
see this as being any less secure than the RPM distribution chain.

> 
> Fabio
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to