On 07/24/2013 11:03 AM, Nicolas Mailhot wrote:
Le Mer 24 juillet 2013 16:17, Peter MacKinnon a écrit :
A generalization which I would disagree with in the Java space. I think
many projects
eventually reach "steady-state" where they have acquired the set of dep
bundles
they need to satisfy their runtime and test requirements. For example,
Hadoop
would not bundle multiple versions of Jetty. However, it's bundled deps
may differ
slightly (perhaps even by just API-compatible versions) say from Tomcat's
(another Hadoop dependency). And that's where you see the proliferation
of bundled
jar libraries as you walk down (up?) the dep tree.
Having been involved in java packaging in the past, I can only agree with
the generalization. Most java projects will affirm their bundling is
minimal, but java projects are deeply interconnected and unwinding
recursively the dependencies of the bundled deps (which can also do their
own 'sparse' bundling) always gave frightening results in my time. Java
projects only consider the tip of the iceberg. They quickly lose count of
the layers of obsolete components their bundled deps drag. And because
they lose count, they are not aware of the security problems that caused
each of those to become obsolete upstream in the first place.
In the case of Maven there are dependency analysis plugins that help
in this regard. Sometimes false positives appear here but it is another
area where perhaps a SIG given the right tools could tune their bundles
to be secure but at the same time not force "innocent" parts of the
bundle into Fedora system repo compliance.
I wouldn't object to bundling if the bundlers did due security diligence
on the bits they bundled. But they don't. That's the *only* reason they
feel bundling is cheaper. They skim on the security maintenance costs.
So the baby goes out with the bath water? Java (and other technology)
projects that may have their own internal development tension between
stability and agility are not worthy of a place in Fedora? ;-)
I just want the discourse to remain open to the notion that certain
projects
that may be viewed as relying on bundles that are "unclean" doesn't
necessarily discount their value to end users and developers.
The Hadoop market in 2012 was worth $1.5 billion and is expected to grow
to about $13.9 billion by 2017. Not too shabby, warts and all. :-)
--
Peter MacKinnon
MRG Grid/Big Data
Red Hat Inc.
Raleigh, NC
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
