ofbiz-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adam Heath (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-6271) build management with maven
Date Tue, 05 May 2015 14:48:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-6271?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14528552#comment-14528552

Adam Heath commented on OFBIZ-6271:

Hahaha.  That guy is an idiot.  Seriously.  Don't blame the tool for bad developers.

I gave a talk at ApacheCon just recently, showing how to use ofbiz and docker together.  Do
you think I just randomly download stuff from the internet, every single time?  I don't, because
I understand the point of trusted build, and security.

Docker itself is really really really bad for security on downloaded image layers.  It has
a message that says "verified" when it has fetched remote data, but the data was retrieved
over http, and the hashsum in the metadata is *not* checked.  All that verified message means
is that the metadata was syntactically correct!

I rebuild my base image layers using debootstrap(I don't trust the debian or ubuntu image
flavors).  This is all based on apt-get stuff.  The only thing I download is wp-cli, but that's
not being fully utilized, and I don't actually download it automatically(it's a manual step,
so could be verified by the developer).

So, I've taken this tool(docker), and used the parts that are good, and not the parts that
are bad.

ps: This is not a rant at you, Jacques.

pps: I'm close to having my docker+ofbiz scripts ready.  I have a repo already with most of
my stuff on github, it just needs a bit of documentation.

> build management with maven
> ---------------------------
>                 Key: OFBIZ-6271
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6271
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL COMPONENTS
>            Reporter: Adam Heath
>            Priority: Minor
>         Attachments: console.log
> This is a new build system; the primary goal will be to not require any changes to existing
ofbiz layouts(for backwards compatibility, at least initially).
> These pom.xml files are completely new; the existing build.xml infrastructure will continue
to exist.  The existing build.xml will never call into maven(which is what processes the pom.xml),
and maven will never call into build.xml either.
> I have already committed a working pom.xml for the top level, and framework/start.  Shortly,
I will be adding framework/base and framework/entity, but into this branch.

This message was sent by Atlassian JIRA

View raw message