[
https://issues.apache.org/jira/browse/HADOOP-3302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12591953#action_12591953
]
Steve Loughran commented on HADOOP-3302:
----------------------------------------
I am supportive of having a POM for the hadoop artifacts and publishing in the
repository...I will file a related patch to add those
However, the other concerns here: library security, licensing, are not in scope
for this project. They are an consequence of using Maven or Ivy.
for reference
1. artifacts are MD5 signed; this can detect accidental corruption but not
malicious artifacts (including malicious metadata)
2. some POMS contain license information, but this is patchy; you are left to
determine for yourself whether JARs are compatible.
3. Apache are fairly strict about preventing unapproved apache artifacts
getting into the repository, but the process is vulneable to someone malicious
uploading a third party JAR (such as jedit) which has been subverted
if these issues concern you, you shouldnt be using public repositories and
transitive dependencies.
> Support Maven-based builds
> --------------------------
>
> Key: HADOOP-3302
> URL: https://issues.apache.org/jira/browse/HADOOP-3302
> Project: Hadoop Core
> Issue Type: New Feature
> Affects Versions: 0.18.0
> Reporter: Edward J. Yoon
>
> The reasons I would like to use maven are:
> - the possibility to define artifact templates to define a kind of standard
> layout/design by artifact
> - it is not necessary for every developer to come up with his own ant
> build-file and process
> - the possibility to define and resolve dependencies transitively
> But there are also some disadvantages/concerns I identified:
> Maven is downloading a lot of plugins from a central repository that is not
> under my control
> - What's about the licenses of these plugins? How do I know I am allowed to
> use them for a commercial product?
> - What's about security? How can I be sure, that the plugins are not
> manipulated and contain the original (delivered by the JAR provider for e.g.
> junit-jar) contents. I observed, that some plugins didn't pass the md5 checks
> but have been installed anyway.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
