On 1/2/07, Barrie Treloar <[EMAIL PROTECTED]> wrote:
> 4. In a commercial environment, it is especially important to control what >assets that are accessible to developers, generally for legal reasons. and > I often took them at face value until quite recently. But my latest job has I still maintain, as I have said in other threads, you should audit not enforce lock down.
Why is that? It doesn't seem a particularly valid method in my current environment, but I'm willing to listen. I think my developers are competent for the most part, given that they're a fairly large group broken into several pieces. But essentially to a (gender-nonspecific pronoun) they are not competent with maven, build processes in general or the reasons behind the controls associated with those processes. I disagree about the lockdown vs. audit question, but I don't completely disagree...except when I'm obligated to do otherwise by the terms of my employment. Like at each commercial environment that I've worked in for the last several years. I think audits usually work to handle dependency issues, and recommended them prior to release. But my current working dependency set is now over 1000 artifacts, and that's just a bit too much to ask. Plus, a couple of times before I got here an artifact slipped through the audit cracks so caching proxies are the only choice that I can see. I'm charged with working on an "accepted asset" list that would scan checked in poms and report checkins that had dependencies not on the list, but that's a few steps down the to-do list. I should also note that there was no instance of distribution of disallowed artifacts at previous employers, but they had identical policies. IANAL, but I do try to keep up with the legalities associated with licensing and if you're a largish firm that sells software and somebody catches on that you've distributed something unacceptably then it's your buttocks in the fire. That fire would also, very likely, include the firing of me. :) As for locking down what can and can't be downloaded, it's a moot point. Even while I've been mandated to restrict maven's use of external repos, I can't help but do it since maven can't actually reach external repos from any build host that isn't part of the domain (which includes my entire build farm). :( -- I'm just an unfrozen caveman software developer. I don't understand your strange, "modern" ways.
