Konstantin Boudnik created ZEPPELIN-404:
-------------------------------------------
Summary: Certain project dependencies are pulled from 3rd parties
repos instead of ASF or public Maven
Key: ZEPPELIN-404
URL: https://issues.apache.org/jira/browse/ZEPPELIN-404
Project: Zeppelin
Issue Type: Bug
Components: build
Affects Versions: 0.5.0
Reporter: Konstantin Boudnik
Fix For: 0.5.5
Looking at the source code I see that
spark/pom.xml
lens/pom.xml
spark-dependencies/pom.xml
use cloudera's repo for the dependency resolution. All these projects are
Apache TLPs, hence their artifacts and their dependencies should be pulled
either from ASF server or public Maven server.
We shouldn't be pulling Apache projects dependencies from a 3rd party source
that could be outdated, contain non-Apache bits or outright malicious artifacts.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
