Robert Marcano via devel wrote:
> I think the only way the Java ecosystem to survive in Fedora outside of
> OpenJDK and some core components is to allow bundling (Even JavaScript
> bundling is already allowed), but how do to it without compromising
> security?
The problem is that Java projects typically bundle prebuilt binaries, which
is a complete no go. The big issue is not that the libraries are bundled, it
is that they are bundled in prebuilt binary form, often even without the
source code at all.
Fixing this requires work no matter whether the packager works the way you
propose or whether they simply unbundle the dependencies. So I do not see
any valid reason to not just go ahead and unbundle. (At least for the
typical application. Things like Eclipse plugins, using nested JARs, are the
exception and might indeed need special treatment.)
The Go and Rust case is different because the library packages are shipped
as source code and the application packages then BuildRequire that source
code. Doing the same for Java would require modifying the upstream build
systems even more than just depending on a Fedora-built JAR would (because
the Go/Rust way is not how Java normally works). So I do not see any
advantage in doing things that way. (And for the record, I also think that
Go and Rust should not work that way either! It is possible to build shared
libraries of Go code, at least one Go toolchain supports it.)
The JavaScript case is also different because everything that is bundled is
bundled as source code. JavaScript does not have anything like a compiled
JAR file.
Kevin Kofler
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
