Just would like to add my agreement with Mykel's position.
The problem is that you can have the best developers in your world, and
still get screwed by one guy outside accidentally including a dependency
with encumbering licensing. That's the big drawback of the automatic
inclusion of transitive dependencies.
I am very lucky to be in an environment where I actually can download
anything fron anywhere, but I still remain uncomfortable with this
aspect of maven. For one, I need to trust the community that it won't
change anything down the road, and furthermore I need to keep snapshots
of the repository image for reliable build reproduction purposes.
I believe running maven without at least some proxy setup is asking for
trouble, even in the most liberal environment.
--
cg
Mykel Alvis wrote:
I still maintain, as I have said in other threads, you should audit
not enforce lock down.
Why is that? It doesn't seem a particularly valid method in my current
environment, but I'm willing to listen.
I think my developers are competent for the most part, given that
they're a
fairly large group broken into several pieces. But essentially to a
(gender-nonspecific pronoun) they are not competent with maven, build
processes in general or the reasons behind the controls associated with
those processes.
I disagree about the lockdown vs. audit question, but I don't completely
disagree...except when I'm obligated to do otherwise by the terms of my
employment. Like at each commercial environment that I've worked in for
the last several years.
I think audits usually work to handle dependency issues, and recommended
them prior to release. But my current working dependency set is now over
1000 artifacts, and that's just a bit too much to ask. Plus, a couple of
times before I got here an artifact slipped through the audit cracks so
caching proxies are the only choice that I can see. I'm charged with
working on an "accepted asset" list that would scan checked in poms and
report checkins that had dependencies not on the list, but that's a few
steps down the to-do list.
I should also note that there was no instance of distribution of
disallowed
artifacts at previous employers, but they had identical policies.
IANAL, but I do try to keep up with the legalities associated with
licensing
and if you're a largish firm that sells software and somebody catches on
that you've distributed something unacceptably then it's your buttocks in
the fire. That fire would also, very likely, include the firing of
me. :)
As for locking down what can and can't be downloaded, it's a moot point.
Even while I've been mandated to restrict maven's use of external
repos, I
can't help but do it since maven can't actually reach external repos from
any build host that isn't part of the domain (which includes my entire
build
farm). :(
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
