Hi guys,
sorry, I'm back on the project after some busy weeks ;)
I agree with Tony: for convenience, having multiple Maven repos in the
pom.xml is not a big deal.
Just my $0.01
Regards
JB
On 11/06/2015 07:11 PM, Tony Kurc wrote:
As we're providing source code, the repositories section in the pom are
more a "convenient pointer" than a "thou shalt use". Building using a
different repository of your choosing is as simple as adding a mirror in
your maven settings.
Because of this, I'm not even close to having an objection.
On Fri, Nov 6, 2015 at 1:03 PM, Joe Witt <[email protected]> wrote:
As an additional data point Hadoop does this as well. So Hadoop,
Spark, and HBase easily three of the most widely built open source
projects around do this.
Thanks
Joe
On Fri, Nov 6, 2015 at 1:01 PM, Joe Witt <[email protected]> wrote:
What are some examples of networks which can access maven central but
cannot access JCenter?
Thanks
Joe
On Fri, Nov 6, 2015 at 12:10 PM, Adam Taft <[email protected]> wrote:
I'm concerned that not all networks will be able to connect with and use
the JCenter repository. If it's not in Maven Central, we should likely
avoid the dependency and instead find alternative approaches.
Adam
On Fri, Nov 6, 2015 at 11:31 AM, Joe Witt <[email protected]> wrote:
joe explained to me he meant to update the nifi pom.xml with this
repository. Today we use whatever the apache pom (which we extend
from uses) which for releases is nothing which means it is whatever
maven defaults to (presumably maven central). So we see that spark
does this explicit addition of repositories on their pom for both
primary artifacts and plugins.
My concern with this is that our requirement as a community is to
provide repeatable builds. We looked into what Hbase and Spark do and
in fact both of them extend their poms to depend on other repos as
well so there is precedent.
In light of finding other apache projects that use extra repositories
and the fact that Jcenter Bintray while being a commercially focused
repo is offering free support for OSS artifacts then I think the risk
is low. I am ok with this.
Anyone have a different view?
Thanks
Joe
On Fri, Nov 6, 2015 at 11:04 AM, Joe Witt <[email protected]> wrote:
Joe
Sorry i didn't catch this thread sooner. I am not supportive of
adding a required repo if it means we need to tell folks to update
their maven settings. While it sounds trivial it really isn't. We
should seek to understand better what other projects do for such
things. Definitely no fast movement on this one please.
Thanks
Joe
On Fri, Nov 6, 2015 at 10:18 AM, Joe Percivall
<[email protected]> wrote:
As no issues were brought up, I'm going to assume that everyone is
ok
with adding Bintray JCenter as a repo. I plan on using it in a patch
for
0.4.0 in which I'm refactoring InvokeHttp. The patch is dependent on a
lib
to add digest authentication that is only hosted there.
Thanks,
Joe
- - - - - -
Joseph Percivall
linkedin.com/in/Percivall
e: [email protected]
On Tuesday, November 3, 2015 4:52 PM, Matthew Burgess <
[email protected]> wrote:
Bintray JCenter (https://bintray.com/bintray/jcenter/) is also
moderated and
claims to be "the repository with the biggest collection of Maven
artifacts
in the world". I think Bintray itself proxies out to Maven Central,
but
it
appears that for JCenter you choose to sync your artifacts with
Maven
Central: http://blog.bintray.com/tag/maven-central/
I imagine trust is still a per-organization or per-artifact issue,
but
Bintray claims to be even safer and more trustworthy than Maven
Central
(source:
http://blog.bintray.com/2014/08/04/feel-secure-with-ssl-think-again/).
For
my (current) work and home projects, I still resolve from Maven
Central, but
I have been publishing my own artifacts to Bintray.
Regards,
Matt
From: Aldrin Piri <[email protected]>
Reply-To: <[email protected]>
Date: Tuesday, November 3, 2015 at 12:34 PM
To: <[email protected]>
Subject: Incorporation of other Maven repositories
I am writing to see what the general guidance and posture is on
incorporating additional repositories into the build process.
Obviously, Maven Central provides a very known quantity. Are there
other
repositories that are viewed with the same level of trust? If so,
is
there
a listing? If not, do we vet new sources as they bring libraries
that
aid
our project and how is this accomplished?
Incorporating other repos brings up additional areas of concern,
specifically availability but also some additional security
considerations
to the binaries that are being retrieved.
Any thoughts on this front would be much appreciated.
--
Jean-Baptiste Onofré
[email protected]
http://blog.nanthrax.net
Talend - http://www.talend.com
