Joe Sorry i didn't catch this thread sooner. I am not supportive of adding a required repo if it means we need to tell folks to update their maven settings. While it sounds trivial it really isn't. We should seek to understand better what other projects do for such things. Definitely no fast movement on this one please.
Thanks Joe On Fri, Nov 6, 2015 at 10:18 AM, Joe Percivall <[email protected]> wrote: > As no issues were brought up, I'm going to assume that everyone is ok with > adding Bintray JCenter as a repo. I plan on using it in a patch for 0.4.0 in > which I'm refactoring InvokeHttp. The patch is dependent on a lib to add > digest authentication that is only hosted there. > > Thanks, > Joe > - - - - - - > Joseph Percivall > linkedin.com/in/Percivall > e: [email protected] > > > > > On Tuesday, November 3, 2015 4:52 PM, Matthew Burgess <[email protected]> > wrote: > Bintray JCenter (https://bintray.com/bintray/jcenter/) is also moderated and > claims to be "the repository with the biggest collection of Maven artifacts > in the world". I think Bintray itself proxies out to Maven Central, but it > appears that for JCenter you choose to sync your artifacts with Maven > Central: http://blog.bintray.com/tag/maven-central/ > > I imagine trust is still a per-organization or per-artifact issue, but > Bintray claims to be even safer and more trustworthy than Maven Central > (source: > http://blog.bintray.com/2014/08/04/feel-secure-with-ssl-think-again/). For > my (current) work and home projects, I still resolve from Maven Central, but > I have been publishing my own artifacts to Bintray. > > Regards, > Matt > > From: Aldrin Piri <[email protected]> > Reply-To: <[email protected]> > Date: Tuesday, November 3, 2015 at 12:34 PM > To: <[email protected]> > Subject: Incorporation of other Maven repositories > > > I am writing to see what the general guidance and posture is on > incorporating additional repositories into the build process. > > Obviously, Maven Central provides a very known quantity. Are there other > repositories that are viewed with the same level of trust? If so, is there > a listing? If not, do we vet new sources as they bring libraries that aid > our project and how is this accomplished? > > Incorporating other repos brings up additional areas of concern, > specifically availability but also some additional security considerations > to the binaries that are being retrieved. > > Any thoughts on this front would be much appreciated.
