Hi, Jiri Konecny <jkonecny@xxxxxxxxxx> writes: > Dne 07. 01. 22 v 21:54 Major Hayden napsal(a): >> On 1/7/22 14:46, Jiri Konecny wrote: >>> I would like to do here a bit of brainstorming and ask if there is an >>> existing solution to this problem. To explain my problem, >>> recently I found more and more apps likes terminals, prompt and >>> command line tooling, which are great to use but not >>> packaged or are outdated in our repositories. The reason for this is >>> simple. These apps are written in languages like Rust or >>> Go which works the way that there are plenty of smaller libraries and >>> these are really a hell to package or maintain in >>> Fedora. On the other hand it's pretty simple to build it from the >>> source (most of the time) but hard to split it into packages. >> >> Oh gosh, yes, this has been a problem for me for a while. I maintain >> azure-cli, which has a few subpackages. It depends on about 95 other >> Azure Python SDK components which depend on various Python libraries. >> Each of these must be carefully updated when the main azure-cli >> package is updated. 🥵 >> >>> I would say, that for GUI apps we already done that. We have Flatpak >>> which is doing great job to get these apps there >>> and motivate people to do that because it's then consumable on plenty >>> of places. However, this is not really usable if you >>> need app which is core part of the system (like prompt) or emacs/vim >>> which needs a lot of dependencies from the system >>> based on user configuration. >> >> I do like Flatpaks for GUI applications. >> >> For CLIs, I've seen people use container images since it's a single >> item that is easily updated. However, it's not always easy to >> determine how a container was built and the home of its sources. 😬 >> >> The cloud vendors seem to be moving towards bundling everything up >> into a zip file that you download and run. AWS now has their own >> crypto/hashing components and bundled Python in a zip. Google has a >> large zip with plenty of third party vendored content. > Bundling to ZIP is again the same issue. You have to download it from > somewhere and from my PoV that is a bigger problem than not being able > to validate the content. I am afraid that we will not get around bundling dependencies in the long haul if we want packaging to still be a doable effort. There however kind off a middle ground between "package everything" and "bundle everything", that is currently pursued by the openSUSE project for node.js: allow the build system to "inject" system packages into a npm install via a local registry. That would allow packagers to still bundle most of the non-critical™ packages, while the security relevant ones could be maintained as rpms and get more attention. Iirc the plan was to provide this functionality via https://github.com/openSUSE/npm-localhost-proxy, but I am not sure if it's already implemented or whether that's the correct project. Cheers, Dan _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
