[security-dev] PicketBox in Maven Central

Boleslaw Dawidowicz bdawidow at redhat.com
Fri Jan 11 05:56:47 EST 2013 

Just a comment that while not relying on our own repo is suggested requirement it is not a hard one. I tried to be maven central pure for some GateIn components and found out few interesting parts:

- AS7 is not maven central pure and has hardcoded jboss repo in it's parent. Still it is synced into central.
- LOT of dependencies inside of maven central has hardcoded external repos. The way maven works if you indirectly depend on any of such artefacts maven will start searching those external repos anyway. 

In the end when I tried to be maven central pure I discovered that it is impossible to exclude other repos fully. If you try to enforce it with local settings.xml and <mirrorOf>*</... then many dependencies from maven central won't resolve because transient ones from other repos will be missing. 

In the end it is good to try but when you hit the wall be aware that it is not really strictly followed rule. Personally when some of my transient dependencies enable external repos like jboss one I prefer to just clearly define it in my own parent to be aware of it.

 
On Jan 8, 2013, at 4:24 PM, Darran Lofthouse <darran.lofthouse at jboss.com> wrote:

> Hi Pete,
> 
> Please include me in the thread as well, this request is to solve a 
> dependency issue for me.
> 
> I am also about to speak to Joel about another set of dependencies that 
> are missing from Central.
> 
> Regards,
> Darran Lofthouse.
> 
> 
> On 01/08/2013 01:19 PM, Pete Muir wrote:
>> I think that list is out of date. Best is if someone from the PicketLink project can step up an own this task. Paul or I can then get you in contact with Joel @ Sonatype, who will run some checks, and let you know if PicketLink needs to make any changes.
>> 
>> I'll start an off list thread with Joel, Anil and Pedro for now, but anyone else can jump in, just say!
>> 
>> On 7 Jan 2013, at 17:45, Anil Saldhana wrote:
>> 
>>> If you look at this
>>> https://community.jboss.org/wiki/MavenRepositoryCentralSynchronization
>>> it says (as of May 2012) both PicketBox and PicketLink are under review.
>>> 
>>> I am trying to jog my memory if I had requested this long ago. I may
>>> have done it long ago.
>>> 
>>> On 01/07/2013 11:26 AM, Darran Lofthouse wrote:
>>>> That would make sense - the quick starts don't want dependencies on our
>>>> own repos so having those both in central will make it easier to add new
>>>> quickstarts.
>>>> 
>>>> 
>>>> On 01/07/2013 05:14 PM, Anil Saldhana wrote:
>>>>> It may be best to sync both org.picketbox and org.picketlink
>>>>> 
>>>>> On 01/07/2013 11:12 AM, Darran Lofthouse wrote:
>>>>>> Thank you Anil - I have Joel's details so will e-mail him and Stefan.
>>>>>> 
>>>>>> Regards,
>>>>>> Darran Lofthouse.
>>>>>> 
>>>>>> 
>>>>>> On 01/07/2013 05:04 PM, Anil Saldhana wrote:
>>>>>>> Asked Paul Gier to see if we can push some JBoss repo artifacts to Maven
>>>>>>> central.
>>>>>>> =======
>>>>>>> (11:02:37 AM) anilsaldhana: pgier: hi Paul.  Do you know if we can push
>>>>>>> jboss repo artifacts to maven central?
>>>>>>> (11:02:47 AM) anilsaldhana: pgier: like selected projects for example.
>>>>>>> (11:03:19 AM) pgier: asaldhan, yes, you have to talk to joel from
>>>>>>> sonatype to let him know which groupIds to sync
>>>>>>> ============
>>>>>>> 
>>>>>>> On 01/07/2013 10:55 AM, Anil Saldhana wrote:
>>>>>>>> Darran,
>>>>>>>>        this can be done. Stefan should be able to push the PicketBox
>>>>>>>> depedencies to maven
>>>>>>>> central.
>>>>>>>> 
>>>>>>>> Regards,
>>>>>>>> Anil
>>>>>>>> 
>>>>>>>> On 01/07/2013 10:54 AM, Darran Lofthouse wrote:
>>>>>>>>> For a while I have been meaning to get JBoss Negotiation into Maven
>>>>>>>>> Central so that I can move the toolkit from the project and into the
>>>>>>>>> quick starts and for the quick starts they don't want dependencies on
>>>>>>>>> our internal repos.
>>>>>>>>> 
>>>>>>>>> Within JBoss Negotiation I have a couple of PicketBox dependencies - is
>>>>>>>>> there any possibility that these could be synced to Maven Central?
>>>>>>>>> 
>>>>>>>>> Regards,
>>>>>>>>> Darran Lofthouse.
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>> _______________________________________________
>>> security-dev mailing list
>>> security-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/security-dev
>> 
>> 
>> _______________________________________________
>> security-dev mailing list
>> security-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>> 
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

More information about the security-dev mailing list