> Am 08.10.2021 um 14:11 schrieb Kevin Kofler via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx>: > > Mario Torre wrote: > >> On Fri, Oct 8, 2021 at 2:11 AM Kevin Kofler via devel wrote: >>> And that is actually a problem rather than a solution. Maven artifacts >>> are basically write once only. Everything depends on a hardcoded version >>> which, once uploaded, is normally never touched again. This means that >>> security bugs and other bugs never get fixed (unless the application >>> bumps the dependency version, which can take months or years or even just >>> never happen). That is exactly what the RPM system is designed to avoid. >> >> Well, that's why it should be "curated" and not just a mirror of maven >> central. > > No amount of "curating" can fix this inherent design limitation of Maven. Maven may have a lot of design limitations, but this scenario is none of them. No build system can completely compensate a careless developer or system administrator. And what is the alternative? If we don't find a way to make building Java application rpm easier, there will be no Fedora rpm for many applications at all. And then, what happens? The sysadmin installs a binary from some source. And then happens exactly what you fear: The program runs forever and > that opens all sorts of cans of worms (caching, reproducibility, > changed checksums, etc.). Peter _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
