Please push bitcoinj into Maven Central

[GoogleCodeExporter]

Hi
I would really love to see bitcoinj in Maven Central. Is there any reason why 
it's not in there?

Original issue reported on code.google.com by mar...@malkusch.de on 13 Dec 2013 at 11:59

[GoogleCodeExporter]

I think so far we felt that the API wasn't stable enough for Maven Central. And 
its still not final, I guess.

But I generally like the idea of fetching all artifacts from Maven Central. 
Sooner or later bitcoinj needs to be present in Maven Central. Perhaps with a 
1.0 release? (-:

Original comment by andreas....@gmail.com on 13 Dec 2013 at 5:15

[GoogleCodeExporter]

Does Maven Central have API stability requirements?

The main reason I haven't put it there is I don't know how secure their servers 
are, and we were afraid that a bad build might start getting served. That'd be 
a neat way to steal large sums of money all at once. The Nexus repo we have is 
on Google Code and thus has the same access control procedures as the source 
code.

Though Maven Central requires PGP signatures, it appears that Maven doesn't 
actually check them. Instead you're expected to purchase a "Nexus Professional" 
setup.

The work Gary did on dependency verification might mean we can reconsider this, 
but it'd still mean that you can't (safely) just whack in a new <dependency> 
section, as you'd have to add the dependency checker too. At that point you 
might as well just add the <repository> section as well.

Original comment by hearn@google.com on 13 Dec 2013 at 11:17

[GoogleCodeExporter]

Sure, the absent security in Maven is a huge problem. I really wonder why they 
dare to release new major versions without tackling that fundamental problem.

However, it is a fact all "mavenized" projects - including bitcoinj - pull in 
at least one artifact from Maven central (e.g. maven-compiler-plugin), so we're 
all trusting Maven Central anyway. So at least there is nothing to lose.

My hope is that if Maven doesn't fix this issue the Debian and Ubuntu 
repositories will. As soon as the Android runtime hits their repos I will start 
working on getting the app to Ubuntu. And Jim (MultiBit) could already work on 
that now.

Original comment by andreas....@gmail.com on 14 Dec 2013 at 10:19

[GoogleCodeExporter]

> The main reason I haven't put it there is I don't know how secure their 
servers are, 
> and we were afraid that a bad build might start getting served. That'd be a 
neat way 
> to steal large sums of money all at once.

Publishing through Sonatype requires signed artifacts. As long as you keep your 
signature
safe there is no regular way to compromise an artifact. But I must say I have 
no idea
what other security implementations are at work in the sync process. You might 
ask 
at https://issues.sonatype.org about the security aspect.

Original comment by mar...@malkusch.de on 14 Dec 2013 at 10:50

[GoogleCodeExporter]

I was worried about a compromise of Sonatype itself. Bitcoin motivates people 
to do attacks that wouldn't be feasible in other ways.

I guess it's true that one can't avoid loading code from Maven Central at the 
moment anyway though, so perhaps we should relax this rule and just encourage 
people to use Gary's plugin.

Andreas, I guess, they don't add it to Maven because it's a feature of some Pro 
product that they sell.

Original comment by hearn@google.com on 14 Dec 2013 at 7:31

[GoogleCodeExporter]

Anyway, if we decide to push bitcoinj to Maven Central I'd volunteer to do the 
"paper work".

Original comment by andreas....@gmail.com on 15 Dec 2013 at 10:12

[GoogleCodeExporter]

As a general observation to Bitcoinj newcomers:

Getting code into Maven Central is pretty straightforward. They provide an 
excellent guide (see 
https://docs.sonatype.org/display/Repository/Sonatype+OSS+Maven+Repository+Usage
+Guide) and you can grab a bunch of the necessary repo support code direct from 
my plugin (see https://github.com/gary-rowe/BitcoinjEnforcerRules). 

Any Bitcoinj-based project should really be using the plugin and carefully 
vetting any dependencies (or using pre-vetted versions from trusted development 
teams). Bitcoin security is not to be taken lightly.

Original comment by g.rowe.f...@gmail.com on 15 Dec 2013 at 11:48

[GoogleCodeExporter]

@gary I hate to say it, but I'm convinced your plugin just adds a false sense 
of security. We're checking the validity of artifacts we actually don't use, 
and at the same time we pull in artifacts we never check. I think your plugin 
should somehow work on Maven dependency level rather than file URIs, if 
possible.

See issue http://code.google.com/p/bitcoinj/issues/detail?id=459 for details.

Original comment by andreas....@gmail.com on 15 Dec 2013 at 12:01

[GoogleCodeExporter]

@andreas You're right. I need to update the plugin to catch when people don't 
re-snapshot their dependencies. 

I have some time this week, so I'll make the necessary changes and release an 
update.

For those interested, the issue is here: 
https://github.com/gary-rowe/BitcoinjEnforcerRules/issues/1

Original comment by g.rowe.f...@gmail.com on 16 Dec 2013 at 9:18

[GoogleCodeExporter]

Yeah, bitcoinj is on Maven central:

http://search.maven.org/#artifactdetails|com.google|bitcoinj|0.11.1|jar

Original comment by andreas....@gmail.com on 8 Mar 2014 at 5:34

[GoogleCodeExporter]

I'm more than happy to see it there. Maybe I'm too fast and central is not 
completely synchronized, because I'm missing 
com.google:bitcoinj-parent:pom:0.11.1.

Original comment by mar...@malkusch.de on 9 Mar 2014 at 2:32

[GoogleCodeExporter]

I can't get it to work either, because bitcoinj-parent is not uploaded. I just 
filed this separate issue:
https://code.google.com/p/bitcoinj/issues/detail?id=535

Original comment by kgree...@gmail.com on 9 Mar 2014 at 2:38

[GoogleCodeExporter]

I uploaded the parent, it should work now.

Original comment by mh.in.en...@gmail.com on 10 Mar 2014 at 4:18

• Changed state: Fixed