> On Mon, Jun 10, 2024 at 11:57 PM Adam Williamson > <adamwill(a)fedoraproject.org> wrote: > > You are right - I meant to say it was suspicious that these commits > were only done in the f40 branch, but are not present in rawhide. > Usually packages are worked on in rawhide *first* and then changes are > merged or backported to stable branches. > > Reading up on the bug, the situation with Julia does indeed sound like > a major clusterf***. > If Julia only supports running on top of the same versions of > libraries that it was built against, maybe it needs to be rebuilt any > time any of those libraries change? It is more complex than that, because there is generally an FFI layer built into the Julia code, so if the API has changed at all for those libraries (which it did recently for SuiteSparse in a way that broke Julia), then parts inside Julia also need updating to match the new API. > It also sounds like Julia packages are distributed as pre-compiled > binaries? That seems like a major security issue if Julia is just > downloading pre-compiled binaries from somewhere and running them ... It is no more insecure than distributing RPM packages from mirrors in my view. They build all the binary packages using recipes from a GitHub repository here https://github.com/JuliaPackaging/Yggdrasil, and all the build logs are publicly viewable and build artifacts publicly downloadable for inspection. The binaries are then hosted as Julia packages in their own GitHub repo (in this org https://github.com/JuliaBinaryWrappers) with the binary artifacts attached as release artifacts. They also mirror them through packaging servers to distribute the load (so not everyone has to download from GitHub). So I don't see this as being any less secure than the RPM distribution chain. > > Fabio -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
