nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré ...@nanthrax.net>
Subject Re: Incorporation of other Maven repositories
Date Fri, 06 Nov 2015 18:13:12 GMT
Hi guys,

sorry, I'm back on the project after some busy weeks ;)

I agree with Tony: for convenience, having multiple Maven repos in the 
pom.xml is not a big deal.

Just my $0.01

Regards
JB

On 11/06/2015 07:11 PM, Tony Kurc wrote:
> As we're providing source code, the repositories section in the pom are
> more a "convenient pointer" than a "thou shalt use". Building using a
> different repository of your choosing is as simple as adding a mirror in
> your maven settings.
>
> Because of this, I'm not even close to having an objection.
>
> On Fri, Nov 6, 2015 at 1:03 PM, Joe Witt <joe.witt@gmail.com> wrote:
>
>> As an additional data point Hadoop does this as well.  So Hadoop,
>> Spark, and HBase easily three of the most widely built open source
>> projects around do this.
>>
>> Thanks
>> Joe
>>
>> On Fri, Nov 6, 2015 at 1:01 PM, Joe Witt <joe.witt@gmail.com> wrote:
>>> What are some examples of networks which can access maven central but
>>> cannot access JCenter?
>>>
>>> Thanks
>>> Joe
>>>
>>> On Fri, Nov 6, 2015 at 12:10 PM, Adam Taft <adam@adamtaft.com> wrote:
>>>> I'm concerned that not all networks will be able to connect with and use
>>>> the JCenter repository.  If it's not in Maven Central, we should likely
>>>> avoid the dependency and instead find alternative approaches.
>>>>
>>>> Adam
>>>>
>>>>
>>>>
>>>> On Fri, Nov 6, 2015 at 11:31 AM, Joe Witt <joe.witt@gmail.com> wrote:
>>>>
>>>>> joe explained to me he meant to update the nifi pom.xml with this
>>>>> repository.  Today we use whatever the apache pom (which we extend
>>>>> from uses) which for releases is nothing which means it is whatever
>>>>> maven defaults to (presumably maven central).  So we see that spark
>>>>> does this explicit addition of repositories on their pom for both
>>>>> primary artifacts and plugins.
>>>>>
>>>>> My concern with this is that our requirement as a community is to
>>>>> provide repeatable builds.  We looked into what Hbase and Spark do and
>>>>> in fact both of them extend their poms to depend on other repos as
>>>>> well so there is precedent.
>>>>>
>>>>> In light of finding other apache projects that use extra repositories
>>>>> and the fact that Jcenter Bintray while being a commercially focused
>>>>> repo is offering free support for OSS artifacts then I think the risk
>>>>> is low.  I am ok with this.
>>>>>
>>>>> Anyone have a different view?
>>>>>
>>>>> Thanks
>>>>> Joe
>>>>>
>>>>> On Fri, Nov 6, 2015 at 11:04 AM, Joe Witt <joe.witt@gmail.com>
wrote:
>>>>>> Joe
>>>>>>
>>>>>> Sorry i didn't catch this thread sooner.  I am not supportive of
>>>>>> adding a required repo if it means we need to tell folks to update
>>>>>> their maven settings.  While it sounds trivial it really isn't. 
We
>>>>>> should seek to understand better what other projects do for such
>>>>>> things.  Definitely no fast movement on this one please.
>>>>>>
>>>>>> Thanks
>>>>>> Joe
>>>>>>
>>>>>> On Fri, Nov 6, 2015 at 10:18 AM, Joe Percivall
>>>>>> <joepercivall@yahoo.com.invalid> wrote:
>>>>>>> As no issues were brought up, I'm going to assume that everyone
is
>> ok
>>>>> with adding Bintray JCenter as a repo. I plan on using it in a patch
>> for
>>>>> 0.4.0 in which I'm refactoring InvokeHttp. The patch is dependent on
a
>> lib
>>>>> to add digest authentication that is only hosted there.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Joe
>>>>>>> - - - - - -
>>>>>>> Joseph Percivall
>>>>>>> linkedin.com/in/Percivall
>>>>>>> e: joepercivall@yahoo.com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tuesday, November 3, 2015 4:52 PM, Matthew Burgess <
>>>>> mattyb149@gmail.com> wrote:
>>>>>>> Bintray JCenter (https://bintray.com/bintray/jcenter/) is also
>>>>> moderated and
>>>>>>> claims to be "the repository with the biggest collection of Maven
>>>>> artifacts
>>>>>>> in the world". I think Bintray itself proxies out to Maven Central,
>> but
>>>>> it
>>>>>>> appears that for JCenter you choose to sync your artifacts with
>> Maven
>>>>>>> Central: http://blog.bintray.com/tag/maven-central/
>>>>>>>
>>>>>>> I imagine trust is still a per-organization or per-artifact issue,
>> but
>>>>>>> Bintray claims to be even safer and more trustworthy than Maven
>> Central
>>>>>>> (source:
>>>>>>>
>> http://blog.bintray.com/2014/08/04/feel-secure-with-ssl-think-again/).
>>>>> For
>>>>>>> my (current) work and home projects, I still resolve from Maven
>>>>> Central, but
>>>>>>> I have been publishing my own artifacts to Bintray.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Matt
>>>>>>>
>>>>>>> From:  Aldrin Piri <aldrinpiri@gmail.com>
>>>>>>> Reply-To:  <dev@nifi.apache.org>
>>>>>>> Date:  Tuesday, November 3, 2015 at 12:34 PM
>>>>>>> To:  <dev@nifi.apache.org>
>>>>>>> Subject:  Incorporation of other Maven repositories
>>>>>>>
>>>>>>>
>>>>>>> I am writing to see what the general guidance and posture is
on
>>>>>>> incorporating additional repositories into the build process.
>>>>>>>
>>>>>>> Obviously, Maven Central provides a very known quantity.  Are
there
>>>>> other
>>>>>>> repositories that are viewed with the same level of trust?  If
so,
>> is
>>>>> there
>>>>>>> a listing? If not, do we vet new sources as they bring libraries
>> that
>>>>> aid
>>>>>>> our project and how is this accomplished?
>>>>>>>
>>>>>>> Incorporating other repos brings up additional areas of concern,
>>>>>>> specifically availability but also some additional security
>>>>> considerations
>>>>>>> to the binaries that are being retrieved.
>>>>>>>
>>>>>>> Any thoughts on this front would be much appreciated.
>>>>>
>>
>

-- 
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

Mime
View raw message