On May 9, 2023, at 1:53 PM, Mikel Olasagasti mikel@olasagasti.info wrote:
Hi Major,
Hau idatzi du Major Hayden (major@mhtx.net) erabiltzaileak (2023 mai. 8(a), al. (22:51)):
One potential option is to work with upstream (AWS) to change these dependencies out for actively maintained ones instead, but that likely requires significant development work. š„µ
Iām poking the SSM team internally on this to see if thereās any plans of getting away from any of these (and to force the evaluation of if there *should* be any plans or not).
Another option might be to vendor these dependencies in the main SSM package, but that still means we're building against unmaintained code and it likely violates some Fedora policies. š±
We vendor the dependencies for SSM in the SSM package we ship in Amazon Linux for two reasons: 1. it was always done that way (not a good reason) 2. avoids exposing any of these deps to a broader audience than ājust the scope in which the SSM agent uses themā and thus alleviates a pile of issues regarding moving them forward major versions or not.
Seeing as itās net new to Fedora, (1) doesnāt apply, and (2) is less of an issue because of the shorter life cycle of Fedora.