You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@continuum.apache.org by Nacho Gonzalez Mac Dowell <na...@visual-ma.com> on 2006/01/28 16:57:04 UTC
Questions/Ideas about Continuum
Hi all, I have a couple of questions regarding continuum's webapp. I've
been looking through jira and haven't found these issues tackled.
1. Is it just me or permissions are not checked when adding/removing
projects? If I log in, copy the url for deleting a project and then
logout, it seems that I can delete the project anyways. After going
through the sources, I didn't find where permissions are checked.
2. What is the use of parsing the pom when introducing a new maven1
project? IMHO the pom should be parsed after checkout. This would allow
building projects which extend from others if the extension project is
included first. Maybe it would be useful to specify the relative url of
the pom when the checkout is performed. IMO all you need to build a
maven project is the scm connection url and parameters and the relative
url to the pom.
3. Isn't the scm password stored as clear text on the db? Usually this
is a unix user/password from the scm machine... I would consider making
a certificate for ssh connection or something like that. Then the public
key for the user could be available for download and put in the scm machine.
Obviestly I am willing to contribute with patches on these issues if
they are welcome. I didn't want to open tickets just yet as it is my
first approach to continuum...
Anyways, I think Continuum is a very nice tool that could be really made
into a monster! Thanks a lot for the effort!
Thank you for your attention
nacho
Re: Questions/Ideas about Continuum
Posted by Emmanuel Venisse <em...@venisse.net>.
Nacho Gonzalez Mac Dowell a écrit :
> Emmanuel Venisse escribió:
>
>> Nacho Gonzalez Mac Dowell a écrit :
>>
>>> Hi all, I have a couple of questions regarding continuum's webapp.
>>> I've been looking through jira and haven't found these issues tackled.
>>>
>>> 1. Is it just me or permissions are not checked when adding/removing
>>> projects? If I log in, copy the url for deleting a project and then
>>> logout, it seems that I can delete the project anyways. After going
>>> through the sources, I didn't find where permissions are checked.
>>
>>
>>
>> You're right, it's a big problem in actual code that will be fixed in
>> 1.1 (not in 1.0.3).
>> We'll use acegi security framework for that.
>
>
> Is there a branch or anything yet for this issue?
We have a branch for 1.0.3, it's continuum-1.0.x
1.1 is in trunk, but acegi isn't there for the moment.
>
>>
>>>
>>> 2. What is the use of parsing the pom when introducing a new maven1
>>> project? IMHO the pom should be parsed after checkout. This would
>>> allow building projects which extend from others if the extension
>>> project is included first. Maybe it would be useful to specify the
>>> relative url of the pom when the checkout is performed. IMO all you
>>> need to build a maven project is the scm connection url and
>>> parameters and the relative url to the pom.
>>
>>
>>
>> We need to parse the pom when we add it for initializing it in
>> Continuum. We'll can perhaps allow to add maven1 project which extend
>> an other but only for parent project in the same checkout tree.
>
>
> In the same checkout tree or, maybe, from an already parsed pom?
> Obviestly the order in which projects are added would then be quite
> important.
We can't extends an already parsed pom because extend feature in maven1 doesn't provide information
other than the relative path to parent pom, so we can't know which parent it is a project list.
And, if we suppose that we can find it, we'll need to modify the relative path to the parent in the
child, because continuum store projects on filesystem differently that it is in scm or on developer
machine.
>
> Also, why does Continuum need to know from the project except its scm
> url and the relative path to the pom? If it does need more things (which
> I may be missing) it could perform a checkout when adding a project,
> rather than uploading (for the upload case, not for the url case).
We need groupId, artifactId, version, scm url, dependencies and notifiers when we add a project in
continuum.
groupId, artifactId, version and dependencies are necessary to find the correct build order.
>
> I am also worried that if the pom changes substantially with time, then
> a reparse of the pom would be needed if uploaded?
>
>>
>>>
>>> 3. Isn't the scm password stored as clear text on the db? Usually
>>> this is a unix user/password from the scm machine... I would consider
>>> making a certificate for ssh connection or something like that. Then
>>> the public key for the user could be available for download and put
>>> in the scm machine.
>>
>>
>>
>> It's a possible solution to implement.
>
>
> The only problem I see with this issue is that the only ssh-keygen java
> port I know is from mindterm which is now propietary. How could we do
> this maintaining portability? Any ideas? Does anybody see any other
> solution for not storing clear text password on the db?
ssh-keygen is available in jsch (http://www.jcraft.com/jsch/) too.
Emmanuel
>
> best regards,
>
> nacho
>
>
>
Re: Questions/Ideas about Continuum
Posted by Nacho Gonzalez Mac Dowell <na...@visual-ma.com>.
Emmanuel Venisse escribió:
> Nacho Gonzalez Mac Dowell a écrit :
>
>> Hi all, I have a couple of questions regarding continuum's webapp.
>> I've been looking through jira and haven't found these issues tackled.
>>
>> 1. Is it just me or permissions are not checked when adding/removing
>> projects? If I log in, copy the url for deleting a project and then
>> logout, it seems that I can delete the project anyways. After going
>> through the sources, I didn't find where permissions are checked.
>
>
> You're right, it's a big problem in actual code that will be fixed in
> 1.1 (not in 1.0.3).
> We'll use acegi security framework for that.
Is there a branch or anything yet for this issue?
>
>>
>> 2. What is the use of parsing the pom when introducing a new maven1
>> project? IMHO the pom should be parsed after checkout. This would
>> allow building projects which extend from others if the extension
>> project is included first. Maybe it would be useful to specify the
>> relative url of the pom when the checkout is performed. IMO all you
>> need to build a maven project is the scm connection url and
>> parameters and the relative url to the pom.
>
>
> We need to parse the pom when we add it for initializing it in
> Continuum. We'll can perhaps allow to add maven1 project which extend
> an other but only for parent project in the same checkout tree.
In the same checkout tree or, maybe, from an already parsed pom?
Obviestly the order in which projects are added would then be quite
important.
Also, why does Continuum need to know from the project except its scm
url and the relative path to the pom? If it does need more things (which
I may be missing) it could perform a checkout when adding a project,
rather than uploading (for the upload case, not for the url case).
I am also worried that if the pom changes substantially with time, then
a reparse of the pom would be needed if uploaded?
>
>>
>> 3. Isn't the scm password stored as clear text on the db? Usually
>> this is a unix user/password from the scm machine... I would consider
>> making a certificate for ssh connection or something like that. Then
>> the public key for the user could be available for download and put
>> in the scm machine.
>
>
> It's a possible solution to implement.
The only problem I see with this issue is that the only ssh-keygen java
port I know is from mindterm which is now propietary. How could we do
this maintaining portability? Any ideas? Does anybody see any other
solution for not storing clear text password on the db?
best regards,
nacho
Re: Questions/Ideas about Continuum
Posted by Emmanuel Venisse <em...@venisse.net>.
Nacho Gonzalez Mac Dowell a écrit :
> Hi all, I have a couple of questions regarding continuum's webapp. I've
> been looking through jira and haven't found these issues tackled.
>
> 1. Is it just me or permissions are not checked when adding/removing
> projects? If I log in, copy the url for deleting a project and then
> logout, it seems that I can delete the project anyways. After going
> through the sources, I didn't find where permissions are checked.
You're right, it's a big problem in actual code that will be fixed in 1.1 (not in 1.0.3).
We'll use acegi security framework for that.
>
> 2. What is the use of parsing the pom when introducing a new maven1
> project? IMHO the pom should be parsed after checkout. This would allow
> building projects which extend from others if the extension project is
> included first. Maybe it would be useful to specify the relative url of
> the pom when the checkout is performed. IMO all you need to build a
> maven project is the scm connection url and parameters and the relative
> url to the pom.
We need to parse the pom when we add it for initializing it in Continuum. We'll can perhaps allow to
add maven1 project which extend an other but only for parent project in the same checkout tree.
>
> 3. Isn't the scm password stored as clear text on the db? Usually this
> is a unix user/password from the scm machine... I would consider making
> a certificate for ssh connection or something like that. Then the public
> key for the user could be available for download and put in the scm
> machine.
It's a possible solution to implement.
>
> Obviestly I am willing to contribute with patches on these issues if
> they are welcome. I didn't want to open tickets just yet as it is my
> first approach to continuum...
All help are welcome. File an issue and attach your patches. We'll look at them.
>
> Anyways, I think Continuum is a very nice tool that could be really made
> into a monster! Thanks a lot for the effort!
Thanks.
Emmanuel
>
> Thank you for your attention
>
> nacho
>
>
>