Fabio Valentini venit, vidit, dixit 2024-06-14 16:25:56: > On Mon, Jun 10, 2024 at 11:57 PM Adam Williamson > <adamwill@xxxxxxxxxxxxxxxxx> wrote: > > > > On Mon, 2024-06-10 at 20:57 +0200, Fabio Valentini wrote: > > > On Mon, Jun 10, 2024 at 8:52 PM Fabio Valentini <decathorpe@xxxxxxxxx> wrote: > > > > > > > > On Mon, Jun 10, 2024 at 8:49 PM Colin Walters <walters@xxxxxxxxxx> wrote: > > > > > > > > > > Worth a bit of wide distribution as I'm sure I'm not the only one who got burned: > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2291191 > > > > > > > > The build of Julia that has this has been unpushed from > > > > f40-updates-testing already: > > > > https://bodhi.fedoraproject.org/updates/FEDORA-2024-8a00986001 > > > > > > > > Not sure why these changes landed in the f40 branch only, but not in rawhide. > > > > > > Side note: The commits that are on the f40 branch *only* definitely > > > look suspicious: > > > https://src.fedoraproject.org/rpms/julia/commits/f40 > > > > > > Looks like Julia is bundling LLVM, libuv, libunwind, gmp, curl (!), > > > libssh2 (!), and mbedtls (!) ... > > > https://src.fedoraproject.org/rpms/julia/blob/f40/f/sources > > > > Back story is in https://bugzilla.redhat.com/show_bug.cgi?id=2274270 . > > Not really suspicious, just an upstream terminally inhospitable to > > downstreams. It kinda looks like we should just ditch the package, to > > me. > > You are right - I meant to say it was suspicious that these commits > were only done in the f40 branch, but are not present in rawhide. > Usually packages are worked on in rawhide *first* and then changes are > merged or backported to stable branches. > > Reading up on the bug, the situation with Julia does indeed sound like > a major clusterf***. > If Julia only supports running on top of the same versions of > libraries that it was built against, maybe it needs to be rebuilt any > time any of those libraries change? > It also sounds like Julia packages are distributed as pre-compiled > binaries? That seems like a major security issue if Julia is just > downloading pre-compiled binaries from somewhere and running them ... Julia comes from a mindset or background where reproducibility is important. Think of data science where you distribute both analysis and code and want your code to always support your analysis ;-) Now, one thing is enabling that (via explicit requirements, bundling, containerizing and such), another thing is basically inhibiting unbundling. Julia users might be best served by not packaging Julia as rpm any more. This implies not packaging it as Fedora flatpak either. I would not phrase this as "Fedora does not support Julia", though. Rather, "Julia does not support distribution packaging" but also "Fedora supports containerized workflows" such as those preferred by and supported by Julia. In fact, Fedora/RHEL are *the* base for containerized workflows, of course! Michael -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
