nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Taft <a...@adamtaft.com>
Subject Re: Incorporation of other Maven repositories
Date Fri, 06 Nov 2015 18:37:55 GMT
I'm OK with this if trkurc is OK with this.  He's far wiser than I on most
everything.  ;)



On Fri, Nov 6, 2015 at 1:11 PM, Tony Kurc <trkurc@gmail.com> wrote:

> As we're providing source code, the repositories section in the pom are
> more a "convenient pointer" than a "thou shalt use". Building using a
> different repository of your choosing is as simple as adding a mirror in
> your maven settings.
>
> Because of this, I'm not even close to having an objection.
>
> On Fri, Nov 6, 2015 at 1:03 PM, Joe Witt <joe.witt@gmail.com> wrote:
>
> > As an additional data point Hadoop does this as well.  So Hadoop,
> > Spark, and HBase easily three of the most widely built open source
> > projects around do this.
> >
> > Thanks
> > Joe
> >
> > On Fri, Nov 6, 2015 at 1:01 PM, Joe Witt <joe.witt@gmail.com> wrote:
> > > What are some examples of networks which can access maven central but
> > > cannot access JCenter?
> > >
> > > Thanks
> > > Joe
> > >
> > > On Fri, Nov 6, 2015 at 12:10 PM, Adam Taft <adam@adamtaft.com> wrote:
> > >> I'm concerned that not all networks will be able to connect with and
> use
> > >> the JCenter repository.  If it's not in Maven Central, we should
> likely
> > >> avoid the dependency and instead find alternative approaches.
> > >>
> > >> Adam
> > >>
> > >>
> > >>
> > >> On Fri, Nov 6, 2015 at 11:31 AM, Joe Witt <joe.witt@gmail.com> wrote:
> > >>
> > >>> joe explained to me he meant to update the nifi pom.xml with this
> > >>> repository.  Today we use whatever the apache pom (which we extend
> > >>> from uses) which for releases is nothing which means it is whatever
> > >>> maven defaults to (presumably maven central).  So we see that spark
> > >>> does this explicit addition of repositories on their pom for both
> > >>> primary artifacts and plugins.
> > >>>
> > >>> My concern with this is that our requirement as a community is to
> > >>> provide repeatable builds.  We looked into what Hbase and Spark do
> and
> > >>> in fact both of them extend their poms to depend on other repos as
> > >>> well so there is precedent.
> > >>>
> > >>> In light of finding other apache projects that use extra repositories
> > >>> and the fact that Jcenter Bintray while being a commercially focused
> > >>> repo is offering free support for OSS artifacts then I think the risk
> > >>> is low.  I am ok with this.
> > >>>
> > >>> Anyone have a different view?
> > >>>
> > >>> Thanks
> > >>> Joe
> > >>>
> > >>> On Fri, Nov 6, 2015 at 11:04 AM, Joe Witt <joe.witt@gmail.com>
> wrote:
> > >>> > Joe
> > >>> >
> > >>> > Sorry i didn't catch this thread sooner.  I am not supportive
of
> > >>> > adding a required repo if it means we need to tell folks to update
> > >>> > their maven settings.  While it sounds trivial it really isn't.
 We
> > >>> > should seek to understand better what other projects do for such
> > >>> > things.  Definitely no fast movement on this one please.
> > >>> >
> > >>> > Thanks
> > >>> > Joe
> > >>> >
> > >>> > On Fri, Nov 6, 2015 at 10:18 AM, Joe Percivall
> > >>> > <joepercivall@yahoo.com.invalid> wrote:
> > >>> >> As no issues were brought up, I'm going to assume that everyone
is
> > ok
> > >>> with adding Bintray JCenter as a repo. I plan on using it in a patch
> > for
> > >>> 0.4.0 in which I'm refactoring InvokeHttp. The patch is dependent on
> a
> > lib
> > >>> to add digest authentication that is only hosted there.
> > >>> >>
> > >>> >> Thanks,
> > >>> >> Joe
> > >>> >> - - - - - -
> > >>> >> Joseph Percivall
> > >>> >> linkedin.com/in/Percivall
> > >>> >> e: joepercivall@yahoo.com
> > >>> >>
> > >>> >>
> > >>> >>
> > >>> >>
> > >>> >> On Tuesday, November 3, 2015 4:52 PM, Matthew Burgess <
> > >>> mattyb149@gmail.com> wrote:
> > >>> >> Bintray JCenter (https://bintray.com/bintray/jcenter/) is
also
> > >>> moderated and
> > >>> >> claims to be "the repository with the biggest collection of
Maven
> > >>> artifacts
> > >>> >> in the world". I think Bintray itself proxies out to Maven
> Central,
> > but
> > >>> it
> > >>> >> appears that for JCenter you choose to sync your artifacts
with
> > Maven
> > >>> >> Central: http://blog.bintray.com/tag/maven-central/
> > >>> >>
> > >>> >> I imagine trust is still a per-organization or per-artifact
issue,
> > but
> > >>> >> Bintray claims to be even safer and more trustworthy than
Maven
> > Central
> > >>> >> (source:
> > >>> >>
> > http://blog.bintray.com/2014/08/04/feel-secure-with-ssl-think-again/).
> > >>> For
> > >>> >> my (current) work and home projects, I still resolve from
Maven
> > >>> Central, but
> > >>> >> I have been publishing my own artifacts to Bintray.
> > >>> >>
> > >>> >> Regards,
> > >>> >> Matt
> > >>> >>
> > >>> >> From:  Aldrin Piri <aldrinpiri@gmail.com>
> > >>> >> Reply-To:  <dev@nifi.apache.org>
> > >>> >> Date:  Tuesday, November 3, 2015 at 12:34 PM
> > >>> >> To:  <dev@nifi.apache.org>
> > >>> >> Subject:  Incorporation of other Maven repositories
> > >>> >>
> > >>> >>
> > >>> >> I am writing to see what the general guidance and posture
is on
> > >>> >> incorporating additional repositories into the build process.
> > >>> >>
> > >>> >> Obviously, Maven Central provides a very known quantity. 
Are
> there
> > >>> other
> > >>> >> repositories that are viewed with the same level of trust?
 If so,
> > is
> > >>> there
> > >>> >> a listing? If not, do we vet new sources as they bring libraries
> > that
> > >>> aid
> > >>> >> our project and how is this accomplished?
> > >>> >>
> > >>> >> Incorporating other repos brings up additional areas of concern,
> > >>> >> specifically availability but also some additional security
> > >>> considerations
> > >>> >> to the binaries that are being retrieved.
> > >>> >>
> > >>> >> Any thoughts on this front would be much appreciated.
> > >>>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message