> Am 08.10.2021 um 02:06 schrieb Kevin Kofler via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx>: > > Michal Srb wrote: >> Unlike RPM repositories, Maven repositories can easily hold multiple >> versions of libraries. ... > > And that is actually a problem rather than a solution. Maven artifacts are > basically write once only. Everything depends on a hardcoded version which, > once uploaded, is normally never touched again. This means that security > bugs and other bugs never get fixed ... A valid point, but only in case the app that consumes the maven artefact in unmaintained. The goal of the "curated list“ is to make building an "app-rpm" less burdensome and provide for more apps as rpm this way. And the updated „app-rpm“ would use an updated version of that jar. And that app would be part of the usual rpm update procedure. >> Fedora could ship just Java applications that would bundle JARs (whatever >> version they need) from the Fedora Maven repository. I don't see this as a >> problem, as long as it would be possible to track what JARs are bundled in >> what application. > > So you propose to bundle a whole bunch of JARs, some of which have been > built many Fedora releases ago and might not even be buildable in any > currently supported Fedora anymore? No! See above. > I think this would be not only a huge > waste of space given the current size of hard drive space, this really isn't a problem. You won't be able to install a meaningful collection of apps whose cumulative footprint of jars installed in parallel leaves any noticeable trace on a x tb disk. But you gain a lot in security if as many of these apps as possible are managed as rpm. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
