Mario Torre wrote: > On Fri, Oct 8, 2021 at 2:11 AM Kevin Kofler via devel wrote: >> And that is actually a problem rather than a solution. Maven artifacts >> are basically write once only. Everything depends on a hardcoded version >> which, once uploaded, is normally never touched again. This means that >> security bugs and other bugs never get fixed (unless the application >> bumps the dependency version, which can take months or years or even just >> never happen). That is exactly what the RPM system is designed to avoid. > > Well, that's why it should be "curated" and not just a mirror of maven > central. No amount of "curating" can fix this inherent design limitation of Maven. You cannot just replace foo-1.2.3 with a different version with security fixes, that opens all sorts of cans of worms (caching, reproducibility, changed checksums, etc.). So you need to upload something like foo-1.2.3.1 and then bump the dependency in every single application. How is that any easier than just building against the latest foo to begin with? Kevin Kofler _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure