On Tue, Sep 28, 2021 at 2:26 PM Robert Marcano via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > On 9/27/21 7:54 PM, Kevin Kofler via devel wrote: > > Robert Marcano via devel wrote: > >> I think the only way the Java ecosystem to survive in Fedora outside of > >> OpenJDK and some core components is to allow bundling (Even JavaScript > >> bundling is already allowed), but how do to it without compromising > >> security? > > > > The problem is that Java projects typically bundle prebuilt binaries, which > > is a complete no go. The big issue is not that the libraries are bundled, it > > is that they are bundled in prebuilt binary form, often even without the > > source code at all. > > Even in the case of SCM repositories committed binaries, allowing > bundling would help a lot, add some kind of automation that replace > these jar for the proposed local created maven repository, and link to > them, and add the metadata to the RPM to know it need to be rebuilt when > that dependency is updated. This is a lot more easier than fighting old > build scripts that don't use some kind of dependency manager. It will > probably be hard for these kind of packages, but any modern application > using using a modern build system could become easier to package. This is actually 100% how packaging applications that use ant + bundled dependencies (i.e. often .jar files in a "/lib/" directory) has worked for ages already. So the Java packaging tools we have in Fedora support this use case just fine. Fabio _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
