Gentlemen, is there any progress with this issue? We are approaching release 1.1 and I would be very hesitant to keep a component with 3rd party binaries as a part of it. Will it get fixed on the Kite side or we'll have to patch the source code as a workaround?
Thanks for your help! Cos On Fri, Sep 11, 2015 at 10:37AM, Ryan Blue wrote: > Cos, > > I wasn't aware that all of the dependencies are being pulled from > the Cloudera repos and you're right that it seems strange. What's > causing that to happen? If it's something on the Kite side, let us > know how we can fix it. > > Mark, > > Yes, we do publish to maven central. It sounds like the problem is > that somehow the Cloudera repo is being used instead of maven > central. > > rb > > On 09/11/2015 09:31 AM, Mark Grover wrote: > >Adding Ryan back > > > >Thanks Ryan! > > > >And, thanks Cos. Yeah, that makes total sense. I think that's a > >reasonable goal, it's likely not something we can achieve overnight but > >we can march towards that steadily. In particular, that involves two things: > >1) Selectively building stuff that bigtop cares about. > >2) Encouraging projects like Kite to publish their jars in maven > >central, etc. (Ryan do you have any plans to do that? Or, is that the > >case already?) > > > >I'll create a JIRA and add some details there, feel free to add if I > >missed something. > > > >Mark > > > >On Thu, Sep 10, 2015 at 4:02 PM, Konstantin Boudnik <[email protected] > ><mailto:[email protected]>> wrote: > > > > Thanks for the explanation Ryan! Certainly excluding the non-Apache > > specific > > modules make sense and needs to be done. > > > > The other issue here, is that _all_ dependencies, including those > > that Hadoop > > and other components depends on, are pulled out of Cloudera repo. > > That's the biggest one in my opinion. While I am not suspecting Cloudera > > will be putting anything malicious into httpcomponents I, as a RM > > and a PMC > > member of this project, don't feel right gpg-signing packages > > without knowing > > what some of the jars contain. So my main concern is that if we > > supply binary > > packages to our users we should be sure that we are using either > > - official public repos like mavencentral, that contains the jars > > deployed by > > the official development teams of those components; or > > - ASF Infra repos where all the artifacts are controlled and a > > responsibility > > of a particular project's PMC > > > > Does it make sense? > > Cos > > > -- > Ryan Blue
signature.asc
Description: Digital signature
