On Mon, Oct 4, 2021 at 8:49 PM Matthew Miller <mat...@fedoraproject.org> wrote: > > On Mon, Sep 27, 2021 at 03:09:08PM +0200, Mario Torre wrote: > > I'm not sure what's the best solution, but I guess the number one > > reason to have packages within the Fedora distribution is for a matter > > of trust, if this is the case I would argue that a curated list of > > maven packages served via a Fedora managed repository would be a > > better investment. > > I'd love to see someone interested in this pursue this idea! I know we > talked about it as long ago as... Flock Prague... and probably before.
This approach will buy you *literally nothing* compared to how things already work, assuming you don't advocate just redistributing binary artifacts / JARs from Maven Central. Given that assumption, JARs would still need to be built 1) from source, in a 2) trusted environment, 3) against trusted dependencies, as I don't think any other approach should be acceptable for content distributed by the Fedora Project. But then you're back to *exactly how Fedora packages for Java projects already work* - only with the added complication that distributing those build artifacts as plain JARs instead of RPMs now makes them impossible to consume as dependencies from other RPM builds. Fabio _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
