On Fri, Oct 8, 2021 at 2:11 AM Kevin Kofler via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > Michal Srb wrote: > > Unlike RPM repositories, Maven repositories can easily hold multiple > > versions of libraries. Once a JAR is built, the resulting bytecode will > > work with current and future JVMs. There is no need to mass-rebuild JARs > > every 6 months. And there is certainly no need to try to run every single > > Java application with a single "system-wide" version of a library. > > And that is actually a problem rather than a solution. Maven artifacts are > basically write once only. Everything depends on a hardcoded version which, > once uploaded, is normally never touched again. This means that security > bugs and other bugs never get fixed (unless the application bumps the > dependency version, which can take months or years or even just never > happen). That is exactly what the RPM system is designed to avoid. Well, that's why it should be "curated" and not just a mirror of maven central. Cheers, Mario -- Mario Torre Manager, Software Engineering, core OpenJDK Red Hat GmbH <https://www.redhat.com> 9704 A60C B4BE A8B8 0F30 9205 5D7E 4952 3F65 7898 _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
