On 9/27/21 7:54 PM, Kevin Kofler via devel wrote:
Robert Marcano via devel wrote:
I think the only way the Java ecosystem to survive in Fedora outside of
OpenJDK and some core components is to allow bundling (Even JavaScript
bundling is already allowed), but how do to it without compromising
security?
The problem is that Java projects typically bundle prebuilt binaries, which
is a complete no go. The big issue is not that the libraries are bundled, it
is that they are bundled in prebuilt binary form, often even without the
source code at all.
Even in the case of SCM repositories committed binaries, allowing
bundling would help a lot, add some kind of automation that replace
these jar for the proposed local created maven repository, and link to
them, and add the metadata to the RPM to know it need to be rebuilt when
that dependency is updated. This is a lot more easier than fighting old
build scripts that don't use some kind of dependency manager. It will
probably be hard for these kind of packages, but any modern application
using using a modern build system could become easier to package.
Fixing this requires work no matter whether the packager works the way you
propose or whether they simply unbundle the dependencies. So I do not see
any valid reason to not just go ahead and unbundle. (At least for the
typical application. Things like Eclipse plugins, using nested JARs, are the
exception and might indeed need special treatment.)
The Go and Rust case is different because the library packages are shipped
as source code and the application packages then BuildRequire that source
code. Doing the same for Java would require modifying the upstream build
systems even more than just depending on a Fedora-built JAR would (because
the Go/Rust way is not how Java normally works). So I do not see any
advantage in doing things that way. (And for the record, I also think that
Go and Rust should not work that way either! It is possible to build shared
libraries of Go code, at least one Go toolchain supports it.)
The JavaScript case is also different because everything that is bundled is
bundled as source code. JavaScript does not have anything like a compiled
JAR file.
Kevin Kofler
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
