incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pedro Giffuni <>
Subject Re: svn commit: r1377482 - /incubator/ooo/trunk/main/external_deps.lst
Date Sun, 26 Aug 2012 19:54:43 GMT

----- Original Message -----
> On Sun, Aug 26, 2012 at 3:20 PM, Dave Fisher <> 
> wrote:
>>  Hi,
>>  We need to do more work to have proper compliance with Apache 
> Infrastructure policy in managing external dependencies.
>>  I may not be precisely correct and am looking for confirmation, but In 
> general i think we need to
>>  (1) Completely avoid using I don't think we are allowed 
> to do this even as a backup URL.
>>  (2) Use mirrors or maven for ASF dependencies where we use the current 
> release. If we use mirrors then should be the backup for the 
> mirror so that we aren't in trouble if the project has a release. If a maven 
> repository were used then there would be no issue.
>>  (3) If we use mirrors then we should allow the user to choose which mirror.
>>  If we decide to take the time to go the maven route. I can use the example 
> of ant and maven repos from the Apache POI build.xml.
>>  Notes about maven repos. Infra [1], maven central [2] and example of an 
> externally hosted repo [3]
>>  This area needs careful attention.
> Note that this move is exactly the wrong thing to do if we want have
> buildbots build binaries that are assumed to be safe and therefore
> signable.  Instead of the security and verifiability of ASF-run host,
> we're putting the dependencies off to a dozen different remote sites,
> with no visibility into their site's mechanisms for vetting changes,
> access controls, auditability of changes, even basics like ensuring
> domain names are renewed and not poached by others.

This is not true. We use checksums precisely to certify the source tarballs
haven't been tampered with.

> Do we really think other websites are as secure as the ones that Infra
> operates?  If so we should move the source code to the other sites as
> well, right?

Yes, upstream providers generate checksums and do proper
maintainance of their packages but perhaps more importantly by
working with them we can leverage their mirrors more efficiently.

I agree with Dave; we have to get rid of those tarballs
in SVN. Python 2.6.1 will be axed today, BTW.

 I haven't looked at Maven but it sounds like something
we should look at..


View raw message