Mario Torre wrote:
> On Fri, Oct 8, 2021 at 2:11 AM Kevin Kofler via devel wrote:
>> And that is actually a problem rather than a solution. Maven artifacts
>> are basically write once only. Everything depends on a hardcoded version
>> which, once uploaded, is normally never touched again. This means that
>> security bugs and other bugs never get fixed (unless the application
>> bumps the dependency version, which can take months or years or even just
>> never happen). That is exactly what the RPM system is designed to avoid.
>
> Well, that's why it should be "curated" and not just a mirror of maven
> central.
No amount of "curating" can fix this inherent design limitation of Maven.
You cannot just replace foo-1.2.3 with a different version with security
fixes, that opens all sorts of cans of worms (caching, reproducibility,
changed checksums, etc.). So you need to upload something like foo-1.2.3.1
and then bump the dependency in every single application. How is that any
easier than just building against the latest foo to begin with?
Kevin Kofler
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
