accumulo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <josh.el...@gmail.com>
Subject Re: Update Maven requirements to handle HTTPS?
Date Mon, 18 Aug 2014 15:30:57 GMT
Updating documentation was what I was leaning towards, yeah.

Build servers (@apache, personal, work) all have the potential to fail. 
If you have other teams integrating with the regular builds of Accumulo 
(e.g. projects that build against nightly's of Accumulo), we also now 
prevent them from building because Accumulo couldn't build. Yes, it's 
still based around building Accumulo, but it can still cascade.

On 8/18/14, 11:06 AM, Sean Busbey wrote:
> We could just update our developer docs to strongly suggest updating to
> Maven 3.2.3, if we don't want to force it.
>
>
> What kind of downstream issues are you expecting? AFAIK, the enforcer
> section for the pom only gets used when building our repo, not when
> building a project that uses us as a dep.
>
>
>
> On Mon, Aug 18, 2014 at 9:41 AM, Josh Elser <josh.elser@gmail.com> wrote:
>
>> Yes - exactly.
>>
>> Doing it in master only may alleviate some of the worry, but I imagine it
>> would still cause headache. For something that is already configurable by
>> <3.2.3 by users who want it, I can't get behind forcing a newer version to
>> just to get the default action changed.
>>
>>
>> On 8/18/14, 9:01 AM, Bill Havanki wrote:
>>
>>> A user with Maven pre-3.2.3 can configure the Maven Central URL to use
>>> HTTPS by setting up a mirror in their settings.xml.
>>>
>>> http://maven.apache.org/guides/mini/guide-mirror-settings.html
>>>
>>> Josh, is your concern that folks won't be able to upgrade to 3.2.3?
>>>
>>>
>>> On Sun, Aug 17, 2014 at 5:41 PM, Josh Elser <josh.elser@gmail.com> wrote:
>>>
>>>   I see a massive headache incoming doing this. Is there a middle ground we
>>>> can encourage people to use that isn't going to break everyone
>>>> downstream?
>>>>
>>>> Can we make some recommendations to clients about how to use HTTPS
>>>> instead
>>>> of HTTP access to avoid the MITM attack (which I assume is the primary
>>>> reason for suggesting the update).
>>>>
>>>>
>>>> On 8/17/2014 4:57 PM, Sean Busbey wrote:
>>>>
>>>>   Now that Maven has released version 3.2.3 to default HTTPS access to
>>>>> maven
>>>>> central, anyone have an objection to updating our enforcer rules to
>>>>> require
>>>>> it?
>>>>>
>>>>> http://maven.apache.org/docs/3.2.3/release-notes.html
>>>>>
>>>>>
>>>>>
>>>
>>>
>
>

Mime
View raw message