Michal Srb wrote:
> Unlike RPM repositories, Maven repositories can easily hold multiple
> versions of libraries. Once a JAR is built, the resulting bytecode will
> work with current and future JVMs. There is no need to mass-rebuild JARs
> every 6 months. And there is certainly no need to try to run every single
> Java application with a single "system-wide" version of a library.
And that is actually a problem rather than a solution. Maven artifacts are
basically write once only. Everything depends on a hardcoded version which,
once uploaded, is normally never touched again. This means that security
bugs and other bugs never get fixed (unless the application bumps the
dependency version, which can take months or years or even just never
happen). That is exactly what the RPM system is designed to avoid.
> Fedora could ship just Java applications that would bundle JARs (whatever
> version they need) from the Fedora Maven repository. I don't see this as a
> problem, as long as it would be possible to track what JARs are bundled in
> what application.
So you propose to bundle a whole bunch of JARs, some of which have been
built many Fedora releases ago and might not even be buildable in any
currently supported Fedora anymore? I think this would be not only a huge
waste of space, but also a gigantic security nightmare.
Kevin Kofler
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
