james-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <n...@devtech.com>
Subject RE: website updated, maven2 poms, temporary repository, new artifacts
Date Sat, 29 Jul 2006 18:36:27 GMT
Stefano Bagnara wrote:

> Once you have all the dependencies maven works even disconnected.

> You need all the plugins [and] all the
> dependencies (system/test/runtime/compile)
> in your local repository.

What is the fastest way to assure that to be the case?  For example, if I
run svn up, and do a maven build, is it then safe to disconnect?

> one of the main maven feature is that it automatically do this
> stuff, maybe it does not make sense to use maven if you want
> to manage it all manually.

Believe me, if someone had done this work with ant instead of maven, I'd be
a lot happier.  However, several of our components, and the web-sites, are
now built with maven, so unless we decide to ban maven or I redo it in ant
(both are equally unlikely at the moment), making this work properly is

> What I don't understand is that we talked a lot of time about removing
> jars from our svn repository because jars should not be included in svn
> within sources and everyone seemed to agree

You must have missed


One of the recent repository related discussions was regarding third party
dependencies, and we've talked about a repository maintained by ASF projects
containing those artifacts upon which they depend.  Under such
circumstances, I might consider trusting the repository, although still
requiring Maven to fix their security issues.

> > As a practical matter, I'm more concerned about our project builds than
> > web-site builds, although I'd like to be able to do everything while
> > disconnected.

> If you already have all of the dependencies installed in your local
> repository you're safe.

As asked above, how do we ensure that?

> If you have all of the dependencies in non-maven2 form (official
> download) you can mannually install each of them in your local
> repository but this will become a PITA because maven

Norman tells me that although he uses Maven to build, but he either manually
installs the jars, or checks them by hand.

> Btw I still don't get where you add security: I bet that you never
> checked that the jars I uploaded to our repository are official and
> signed.

Anything I pull down from SVN is considered trusted because we presume that
our Committers *ARE* doing the right things.  No, I would never trust
ibiblio.  There have already been instances of false artifacts.  Again,
without signed artifacts, nothing should be trusted that cannot have its
origin validated.

> Why should you trust things in our svn more than things automatically
> downloaded by the temporary maven repository I setup on
> people.apache.org for the current poms?

I could trust your stuff, since it is downloaded directly from the ASF
infrastructure, but that is also the problem.  We cannot permit every
committer to create their own private repositories on the infrastructure.
We need mirroring to support scaling (which surfaces maven's security
issue).  You really don't want to do what you did, which is why I keep
trying to get you communicate on the repository@ list.

	--- Noel

View raw message