On Mon, Oct 4, 2021 at 8:50 PM Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> wrote: > > On Mon, Sep 27, 2021 at 03:09:08PM +0200, Mario Torre wrote: > > I'm not sure what's the best solution, but I guess the number one > > reason to have packages within the Fedora distribution is for a matter > > of trust, if this is the case I would argue that a curated list of > > maven packages served via a Fedora managed repository would be a > > better investment. > > I'd love to see someone interested in this pursue this idea! I know we > talked about it as long ago as... Flock Prague... and probably before. That's a very old idea that has been partially implemented years ago, but never approved for use in Fedora. Maven artifacts can be built in Koji (there is an existing "koji maven-build" command). Once built they appear in a "curated" Maven repository hosted on Koji, that can be synced to mirrors, from where users can consume it. Consumers of this Maven repository don't need to be running Fedora, not even Linux. Curated Maven repository contains additional metadata, eg. CVEs affecting given artifact version, whether upstream is active, whether given artifact is available in Fedora and in which releases, etc. For each Fedora Linux release there is an auto-generated BOM (bill of materials POM) listing artifacts available in the release. Binaries from this trusted/curated Maven repository can also be wrapped into RPMs (using "koji wrapper-rpm" command) and put into distribution repos and composes. Other packages can depend on such RPMs. This is a hybrid packaging model, where some Java RPM packages can be built in the traditional way (where code is compiled during rpmbuild) and some are built elsewhere, and only wrapped in RPMs. -- Mikolaj Izdebski > > -- > Matthew Miller > <mattdm@xxxxxxxxxxxxxxxxx> > Fedora Project Leader > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
