Publish gradle-plugin-jflex to maven central?

[JesusFreke]

Hi! I'd like to switch over from using @thomaslee's gradle-jflex-plugin to yours (as discussed recently in an issue in that project). However, I'm a little hesitant to pull in a build plugin from a random personal domain :) Would it be possible to get your plugin published to the maven central repository?

[jprante]

I can publish it on Maven Central, yes.

xbib.org is not a random personal domain, it's my domain. Just some food for thought: why should you and I trust Sonatype? It's a random personal company :) Tomorrow, it may be gone forever (bankruptcy, server shutdown e.g. by DMCA, sellout). Plus, the company and it's server is based in the US, unreachable for me physically, and my code is not protected in the US (no safe harbor), and I also do not 100% agree with US export restrictions. My server is located in France, I can have access to the building, and is protected by french law which is harmonized with german law. So it's always good to distribute software from a trusted location.

[JesusFreke]

Yes, and from my perspective, that's a random personal domain :)

It's not about it going down, which isn't any big deal. It's more about security. A single person isn't going to have the same resources as a corporation to be able to provide comprehensive security for a website. And if someone can replace the files hosted on your server, then they get local code execution on anyone's machine using that plugin to build.

I'm already trusting sonatype's servers, both to host the artefacts for smali, and to pull the various dependencies used by smali. So using them for yet another dependency doesn't add any additional risk.

It's nothing personal :) Heck, I wouldn't trust a website that I hosted in that regard, because I know that there's no way I would be able to provide a sufficient level of security.

If you feel strongly about not hosting on maven central, I can also look into using something like https://github.com/WhisperSystems/gradle-witness to verify the plugin automatically before use.

[jprante]

Published at Sontatype Inc.

http://repo1.maven.org/maven2/org/xbib/gradle/plugin/gradle-plugin-jflex/1.1.0/

Published at gradle

https://plugins.gradle.org/plugin/org.xbib.gradle.plugin.jflex

Published at xbib

http://xbib.org/repository/org/xbib/gradle/plugin/gradle-plugin-jflex/1.1.0/

If security can not be guaranteed by individuals, only by companies, it's no security at all.

It's no problem for me to provide signed artifacts and checksums. Until now, nobody requested it, so I did not add cryptography to my artifacts.

You can verify the artifacts with gnupg and validate checksums with SHA (or MD5) but I think you know how it works.

The security I provide requires trust in me, not in Sonatype, Inc, or Gradle, Inc. :)

[JesusFreke]

Great, thanks!

I have no particular reason to trust or distrust you :). My default level of trust is high enough that I'm willing to use open source code without comprehensively reviewing it first, etc. However, I have no basis for knowing how competent you are with respect to hosting a website securely.

Or to put it another way, I implicitly trust your (or any random open source contributor's) intentions absent any evidence to the contrary, but I don't believe the average person (including myself!) has the necessary knowledge or resources to host a website securely. So my default stance is to distrust a personally hosted website. That's not to say it's not possible, or that you specifically aren't capable.

In any case, thanks again :)

[thomaslee]

Thanks for sorting this out guys :+1: