[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #16746 [metrics-lib]: Use a better tool than just Ant and Debian's package manager to manage dependencies
#16746: Use a better tool than just Ant and Debian's package manager to manage
dependencies
-----------------------------+---------------------
Reporter: karsten | Owner: karsten
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: metrics-lib | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
-----------------------------+---------------------
Comment (by iwakeh):
I would first list what should be improved and then look for a way to
accomplish things.
== Thoughts about Maven
* Why introduce the necessity to depend on maven-central? See their
[https://repo1.maven.org/terms.html terms]: basically anyone can upload,
nothing is screened, and there is no quality/security control whatever.
Usually, software companies that are serious about reproducibility,
quality, and security issues maintain their own "hand-collected" manually
screened repositories inside the company net. It's easy to infer what and
how you build just tracing the maven dependency requests and the like.
* Maven is very powerful. So using it for the current Onionoo setup would
work, but take a look at the pom.xml of just the maven-compiler-plugin
(and all other deps). Does that look like neat and clean dependency
management?
* metrics-lib only needs two libs to be compiled (after you got rid of
commons-codec). How many artifacts do you download with your maven build?
Take a look at all the pom.xmls. What do they do? What does the code you
downloaded do? etc.
== Goals for the build process (ordered at random)
This is of course also valid for the other java projects.
* ease of development
* security
* reproducibility
* clear dependency handling
=== Ways to accomplish (there are more of course)
Whoever compiles metrics-lib (or any other Java project) knows how to
adapt the path {{{/usr/share/java/}}}in build.xml to the path they use for
the required libs.^([#fn1 '1'])^ So debian is not really a dependency.
A well written build.xml with clear versioning for external libs will make
the build process easy. (I think I mentioned that before in a ticket,
can't find it right now)
Reproducibility should be added (to all java Tor projects) by using Java
jar signing and the like.
My two cents.
Well, sounds like I'm strongly opposed to the switch.
------
[=#fn1 1]: or they should learn about it :-)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16746#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs