arminmoin
commented
11 years ago Assigned.
Closed cspurk closed 11 years ago
arminmoin
commented
11 years ago Assigned.
rzanoli
commented
11 years ago Thanks Christian for your precious comments. We are going to consider it and found a balanced solution before the platform will be made open access.
rzanoli
commented
11 years ago We've taken into consideration both the suggestions of people wondering about the possibility that the used repository become unavailable (it seems that from time to time it already happens) and that caching them could be better and people wondering about the possibility that cached artifacts could have been altered.
We've got the following agreement.
We will remove Maven Central from the cache. This repository is reliable and do not need to be put in the cache.
When developers need artifacts that are not available from Maven Central their administrators will take care of it caching the needed repositories when necessary. Perhaps, before doing that, administrators could ask the owners of those artifacts if they are going to make them available from Maven Central.
For libraries that are not available as maven artifacts but that for our convenience we would like to have them available as maven artifacts we think to ask their developers to make them available as maven artifacts and from the Maven Central. If it is not possible we could make them available as maven artifacts from our internal repository; that is in agreement with the licence of the libraries and their developers.
The Artifactory Maven repository at http://hlt-services4.fbk.eu:8080/artifactory/repo appears to be configured to mirror Maven Central. Because EOP is configured to use this repository, all EOP dependencies (incl. common OSS dependencies) are downloaded from this repository unless they are already available in a user’s local repository.
In the best case, the Artifactory repository is really only a mirror. But how could one be sure? Who guarantees that all third-party artifacts which are provided by this repository are unaltered? If artifacts from this repository should have been altered, then in the best case they might just work. But they might also be incomplete, faulty, bogus or even malicious. It’s not my intention to impute anything like that to the people hosting this repository. It’s just that I feel that this situation should be changed, not only for giving other users the possibility to use EOP who would feel uncomfortable otherwise.
As you know, people usually only have a single local Maven repository to which third-party dependencies are automatically downloaded. Thus, altered artifacts would not only affect EOP; other Java projects of a user using these dependencies would be affected, too!