You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@bigtop.apache.org by Konstantin Boudnik <co...@apache.org> on 2015/11/08 01:11:29 UTC

Re: Issues with Kite build

Gentlemen, 

is there any progress with this issue? We are approaching release 1.1 and I
would be very hesitant to keep a component with 3rd party binaries as a part
of it. Will it get fixed on the Kite side or we'll have to patch the source
code as a workaround?

Thanks for your help!
  Cos

On Fri, Sep 11, 2015 at 10:37AM, Ryan Blue wrote:
> Cos,
> 
> I wasn't aware that all of the dependencies are being pulled from
> the Cloudera repos and you're right that it seems strange. What's
> causing that to happen? If it's something on the Kite side, let us
> know how we can fix it.
> 
> Mark,
> 
> Yes, we do publish to maven central. It sounds like the problem is
> that somehow the Cloudera repo is being used instead of maven
> central.
> 
> rb
> 
> On 09/11/2015 09:31 AM, Mark Grover wrote:
> >Adding Ryan back
> >
> >Thanks Ryan!
> >
> >And, thanks Cos. Yeah, that makes total sense. I think that's a
> >reasonable goal, it's likely not something we can achieve overnight but
> >we can march towards that steadily. In particular, that involves two things:
> >1) Selectively building stuff that bigtop cares about.
> >2) Encouraging projects like Kite to publish their jars in maven
> >central, etc. (Ryan do you have any plans to do that? Or, is that the
> >case already?)
> >
> >I'll create a JIRA and add some details there, feel free to add if I
> >missed something.
> >
> >Mark
> >
> >On Thu, Sep 10, 2015 at 4:02 PM, Konstantin Boudnik <cos@apache.org
> ><ma...@apache.org>> wrote:
> >
> >    Thanks for the explanation Ryan! Certainly excluding the non-Apache
> >    specific
> >    modules make sense and needs to be done.
> >
> >    The other issue here, is that _all_ dependencies, including those
> >    that Hadoop
> >    and other components depends on, are pulled out of Cloudera repo.
> >    That's the biggest one in my opinion. While I am not suspecting Cloudera
> >    will be putting anything malicious into httpcomponents I, as a RM
> >    and a PMC
> >    member of this project, don't feel right gpg-signing packages
> >    without knowing
> >    what some of the jars contain. So my main concern is that if we
> >    supply binary
> >    packages to our users we should be sure that we are using either
> >      - official public repos like mavencentral, that contains the jars
> >    deployed by
> >        the official development teams of those components; or
> >      - ASF Infra repos where all the artifacts are controlled and a
> >    responsibility
> >        of a particular project's PMC
> >
> >    Does it make sense?
> >       Cos
> 
> 
> -- 
> Ryan Blue