incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pedro Giffuni <...@apache.org>
Subject Re: svn commit: r1377482 - /incubator/ooo/trunk/main/external_deps.lst
Date Sun, 26 Aug 2012 19:54:43 GMT


----- Original Message -----
 
> 
> On Sun, Aug 26, 2012 at 3:20 PM, Dave Fisher <dave2wave@comcast.net> 
> wrote:
>>  Hi,
>> 
>>  We need to do more work to have proper compliance with Apache 
> Infrastructure policy in managing external dependencies.
>> 
>>  I may not be precisely correct and am looking for confirmation, but In 
> general i think we need to
>> 
>>  (1) Completely avoid using svn.apache.org. I don't think we are allowed 
> to do this even as a backup URL.
>> 
>>  (2) Use mirrors or maven for ASF dependencies where we use the current 
> release. If we use mirrors then archive.apache.org should be the backup for the 
> mirror so that we aren't in trouble if the project has a release. If a maven 
> repository were used then there would be no issue.
>> 
>>  (3) If we use mirrors then we should allow the user to choose which mirror.
>> 
>>  If we decide to take the time to go the maven route. I can use the example 
> of ant and maven repos from the Apache POI build.xml.
>> 
>>  Notes about maven repos. Infra [1], maven central [2] and example of an 
> externally hosted repo [3]
>> 
>>  This area needs careful attention.
>> 
> 
> Note that this move is exactly the wrong thing to do if we want have
> buildbots build binaries that are assumed to be safe and therefore
> signable.  Instead of the security and verifiability of ASF-run host,
> we're putting the dependencies off to a dozen different remote sites,
> with no visibility into their site's mechanisms for vetting changes,
> access controls, auditability of changes, even basics like ensuring
> domain names are renewed and not poached by others.
>

This is not true. We use checksums precisely to certify the source tarballs
haven't been tampered with.


 
> Do we really think other websites are as secure as the ones that Infra
> operates?  If so we should move the source code to the other sites as
> well, right?
> 

Yes, upstream providers generate checksums and do proper
maintainance of their packages but perhaps more importantly by
working with them we can leverage their mirrors more efficiently.

I agree with Dave; we have to get rid of those tarballs
in SVN. Python 2.6.1 will be axed today, BTW.

 I haven't looked at Maven but it sounds like something
we should look at..

Pedro.  

Mime
View raw message