On Thu, Mar 22, 2018 at 01:49:27PM -0400, Przemek Klosowski wrote: > 1. ELF binaries > 2. binary run-time loadable libraries > 3. script files for scripting language environments (java programs > could be arguably placed here) > 4. scripting language libraries > 5. java applets running in the browser > 6. javascript running in the browser > > Clearly, we want to package 1. and 2., and we aren't going to start > packaging 6; there's a big discussion as to what's the right approach for 3 > and 4 (npm, conda, cargo, etc). Actually 6. is also packaged for web applications that we package. Not sure if there are still stand-alone packages for jquery but the code is at least bundled in other packages. > One way of looking at it is that packaging provides an assurance that the > software we're running is the software we think you're running, as opposed > to downloading random binaries and scripts from the internet (curl | > /bin/sh). In this way of thinking, software downloaded from secure > (TLS/https) connections to trusted sites could be considered as good as > packaged---we're doing it to javascript so why not java and other things. One big difference is that Javascript is sandboxed in the browser. Also download code just via https is not as good as it being packaged. With packages you can also rollback to older versions or decide when to upgrade. Also signed packages make sure that everyone gets the same thing because there is only one signed RPM for each NVR which also allows for QA. See for example the NPM bug: http://www.zdnet.com/article/show-stopping-bug-appears-in-npm-node-js-package-manager/ Also there have been instances where upstream downloads were compromised in the past. > The .jnlp file that provides JOSM is essentially an XML file which starts > the java machinery running the OSM-provided java application--I can see how > people could argue that it's no different from maps.google.com starting a > javascript mapping application in your browser. Google maps is not FLOSS and a stand-alone application has still advantages over a web application. So using a java web start application might be as good as using a javascript web app, but a stand-alone application can still be better. For example, is it possible to add a java web start application to the gnome favorites? I guess it is only possible with manually writing a .desktop file. Kind regards Till _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
