You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by Mi...@faa.gov on 2015/10/16 18:33:46 UTC
Setting Up Internal Repositories
The Maven Introduction to Repositories documentation contains a section that describes setting up an internal repository.
In that section is described an option to manually download and vet releases, apparently of a remote repo.
What is meant by "vet"? Can you provide an example of how a repo release would be vetted? I suspect this is highly dependent on the intended use of the repo, but I'm just trying to get a general idea of what is involved.
Thank you.
Mike
Michael Tarullo
Contractor (Engility Corp)
Enterprise Architect
NSRR System Administrator
FAA WJH Technical Center
(609)485-5294
RE: Setting Up Internal Repositories
Posted by Mi...@faa.gov.
Thank you Anders. I think this addresses something I mentioned in my reply to Ron.
Michael Tarullo
Contractor (Engility Corp)
Enterprise Architect
NSRR System Administrator
FAA WJH Technical Center
(609)485-5294
-----Original Message-----
From: anders.g.hammar@gmail.com [mailto:anders.g.hammar@gmail.com] On Behalf Of Anders Hammar
Sent: Friday, October 16, 2015 1:39 PM
To: Maven Users List
Subject: Re: Setting Up Internal Repositories
You could also check the signature against expected release managers or similar.
/Anders (mobile)
Den 16 okt 2015 18:56 skrev "Ron Wheeler" <rw...@artifact-software.com>:
> Hard to say but checking the checksums from the author's site would be
> one way to vet a release from a third party.
> Opening the download and looking inside to see that the artifacts are
> the ones that you were expecting is less secure but could be part of vetting.
>
> Ron
>
> On 16/10/2015 12:33 PM, Michael.CTR.Tarullo@faa.gov wrote:
>
>> The Maven Introduction to Repositories documentation contains a
>> section that describes setting up an internal repository.
>>
>> In that section is described an option to manually download and vet
>> releases, apparently of a remote repo.
>>
>> What is meant by "vet"? Can you provide an example of how a repo
>> release would be vetted? I suspect this is highly dependent on the
>> intended use of the repo, but I'm just trying to get a general idea of what is involved.
>>
>> Thank you.
>>
>> Mike
>>
>> Michael Tarullo
>> Contractor (Engility Corp)
>> Enterprise Architect
>> NSRR System Administrator
>> FAA WJH Technical Center
>> (609)485-5294
>>
>>
>>
>
> --
> Ron Wheeler
> President
> Artifact Software Inc
> email: rwheeler@artifact-software.com
> skype: ronaldmwheeler
> phone: 866-970-2435, ext 102
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Setting Up Internal Repositories
Posted by Anders Hammar <an...@hammar.net>.
You could also check the signature against expected release managers or
similar.
/Anders (mobile)
Den 16 okt 2015 18:56 skrev "Ron Wheeler" <rw...@artifact-software.com>:
> Hard to say but checking the checksums from the author's site would be one
> way to vet a release from a third party.
> Opening the download and looking inside to see that the artifacts are the
> ones that you were expecting is less secure but could be part of vetting.
>
> Ron
>
> On 16/10/2015 12:33 PM, Michael.CTR.Tarullo@faa.gov wrote:
>
>> The Maven Introduction to Repositories documentation contains a section
>> that describes setting up an internal repository.
>>
>> In that section is described an option to manually download and vet
>> releases, apparently of a remote repo.
>>
>> What is meant by "vet"? Can you provide an example of how a repo release
>> would be vetted? I suspect this is highly dependent on the intended use of
>> the repo, but I'm just trying to get a general idea of what is involved.
>>
>> Thank you.
>>
>> Mike
>>
>> Michael Tarullo
>> Contractor (Engility Corp)
>> Enterprise Architect
>> NSRR System Administrator
>> FAA WJH Technical Center
>> (609)485-5294
>>
>>
>>
>
> --
> Ron Wheeler
> President
> Artifact Software Inc
> email: rwheeler@artifact-software.com
> skype: ronaldmwheeler
> phone: 866-970-2435, ext 102
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>
Re: Setting Up Internal Repositories
Posted by Gail Stewart <ga...@mineraltree.com>.
We have also had a process for documenting why we upgraded a dependency or
chose a new dependency. We use Jira - so we would create a ticket type
that had a workflow for the approvals. It was pretty lightweight but it
would sometimes prevent developers using multiple libraries to accomplish
the same task unnecessarily.
On Fri, Oct 16, 2015 at 1:40 PM, <Mi...@faa.gov> wrote:
> Thank you Ron. We already do the first. We are considering the second,
> but for a repo with a very large number of artifacts this is somewhat
> impractical. To mitigate that, we may consider automating it. Finally,
> knowing what to expect appears to present some problems to me.
>
> Michael Tarullo
> Contractor (Engility Corp)
> Enterprise Architect
> NSRR System Administrator
> FAA WJH Technical Center
> (609)485-5294
>
> -----Original Message-----
> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
> Sent: Friday, October 16, 2015 12:56 PM
> To: users@maven.apache.org
> Subject: Re: Setting Up Internal Repositories
>
> Hard to say but checking the checksums from the author's site would be one
> way to vet a release from a third party.
> Opening the download and looking inside to see that the artifacts are the
> ones that you were expecting is less secure but could be part of vetting.
>
> Ron
>
> On 16/10/2015 12:33 PM, Michael.CTR.Tarullo@faa.gov wrote:
> > The Maven Introduction to Repositories documentation contains a section
> that describes setting up an internal repository.
> >
> > In that section is described an option to manually download and vet
> releases, apparently of a remote repo.
> >
> > What is meant by "vet"? Can you provide an example of how a repo
> release would be vetted? I suspect this is highly dependent on the
> intended use of the repo, but I'm just trying to get a general idea of what
> is involved.
> >
> > Thank you.
> >
> > Mike
> >
> > Michael Tarullo
> > Contractor (Engility Corp)
> > Enterprise Architect
> > NSRR System Administrator
> > FAA WJH Technical Center
> > (609)485-5294
> >
> >
>
>
> --
> Ron Wheeler
> President
> Artifact Software Inc
> email: rwheeler@artifact-software.com
> skype: ronaldmwheeler
> phone: 866-970-2435, ext 102
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>
--
Gail Stewart
Sr. Release Engineer
AP & Payment Automation
125 Cambridgepark Drive
Cambridge, MA 02140
gail.stewart@mineraltree.com
617.299.3399 x148
RE: Setting Up Internal Repositories
Posted by Mi...@faa.gov.
Thank you Ron. We already do the first. We are considering the second, but for a repo with a very large number of artifacts this is somewhat impractical. To mitigate that, we may consider automating it. Finally, knowing what to expect appears to present some problems to me.
Michael Tarullo
Contractor (Engility Corp)
Enterprise Architect
NSRR System Administrator
FAA WJH Technical Center
(609)485-5294
-----Original Message-----
From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
Sent: Friday, October 16, 2015 12:56 PM
To: users@maven.apache.org
Subject: Re: Setting Up Internal Repositories
Hard to say but checking the checksums from the author's site would be one way to vet a release from a third party.
Opening the download and looking inside to see that the artifacts are the ones that you were expecting is less secure but could be part of vetting.
Ron
On 16/10/2015 12:33 PM, Michael.CTR.Tarullo@faa.gov wrote:
> The Maven Introduction to Repositories documentation contains a section that describes setting up an internal repository.
>
> In that section is described an option to manually download and vet releases, apparently of a remote repo.
>
> What is meant by "vet"? Can you provide an example of how a repo release would be vetted? I suspect this is highly dependent on the intended use of the repo, but I'm just trying to get a general idea of what is involved.
>
> Thank you.
>
> Mike
>
> Michael Tarullo
> Contractor (Engility Corp)
> Enterprise Architect
> NSRR System Administrator
> FAA WJH Technical Center
> (609)485-5294
>
>
--
Ron Wheeler
President
Artifact Software Inc
email: rwheeler@artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Setting Up Internal Repositories
Posted by Ron Wheeler <rw...@artifact-software.com>.
Hard to say but checking the checksums from the author's site would be
one way to vet a release from a third party.
Opening the download and looking inside to see that the artifacts are
the ones that you were expecting is less secure but could be part of
vetting.
Ron
On 16/10/2015 12:33 PM, Michael.CTR.Tarullo@faa.gov wrote:
> The Maven Introduction to Repositories documentation contains a section that describes setting up an internal repository.
>
> In that section is described an option to manually download and vet releases, apparently of a remote repo.
>
> What is meant by "vet"? Can you provide an example of how a repo release would be vetted? I suspect this is highly dependent on the intended use of the repo, but I'm just trying to get a general idea of what is involved.
>
> Thank you.
>
> Mike
>
> Michael Tarullo
> Contractor (Engility Corp)
> Enterprise Architect
> NSRR System Administrator
> FAA WJH Technical Center
> (609)485-5294
>
>
--
Ron Wheeler
President
Artifact Software Inc
email: rwheeler@artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Setting Up Internal Repositories
Posted by Wayne Fay <wa...@gmail.com>.
Some organizations have concerns about using precompiled binaries
provided by third parties.
To "vet" a third-party provided binary would be a process to simply
compare the provided binary against the one that you could create
yourself using the same source code. A sufficiently motivated
third-party could take a perfectly clean/safe binary, inject their own
modifications, and distribute that modified version as if it were the
original version. I haven't seen this happen myself with any Java
libraries, but it could occur, at least in theory (and assuming you
don't pay attention to checksums - also realize the same person who
could secretly modify the binary could also modify the checksum).
As with everything, you need to think about what risks you are
concerned about, then devise processes to mitigate those risks. No one
here can dictate the correct approach for your organization.
Wayne
On Fri, Oct 16, 2015 at 9:33 AM, <Mi...@faa.gov> wrote:
> The Maven Introduction to Repositories documentation contains a section that describes setting up an internal repository.
>
> In that section is described an option to manually download and vet releases, apparently of a remote repo.
>
> What is meant by "vet"? Can you provide an example of how a repo release would be vetted? I suspect this is highly dependent on the intended use of the repo, but I'm just trying to get a general idea of what is involved.
>
> Thank you.
>
> Mike
>
> Michael Tarullo
> Contractor (Engility Corp)
> Enterprise Architect
> NSRR System Administrator
> FAA WJH Technical Center
> (609)485-5294
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org