Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Clarification on Jetty build from source dependencies

Thanks Joakim. We have a security mandate to build libraries from source. And I am using the maven features to build the jetty projects viz. Mvn clean install. I was looking at the dependencies for each of the project from it's respective .pom file and saw that they have compile time, optional and test dependencies and nothing explicitly defined as runtime dependency and hence wanted to confirm this.

Thanks
Neha

On Fri, Jul 24, 2020, 15:48 Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:
We do not test or maintain any kind of alternate build effort.

Don't analyze the build via the poms, you'll miss a lot.
Especially the optional dependencies related to HTTP/2, ALPN, etc...

Perhaps you can use the maven features to build a specific target module plus it's dependencies.

Also, why do you want to build this from source yourself?
The jars on the global repository system can be cryptographically verified as coming from one of us developers.
Just verify the jars against the keys listed in https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/KEYS.txt

Joakim Erdfelt / joakim@xxxxxxxxxxx


On Fri, Jul 24, 2020 at 5:21 PM Neha Munjal <neha.munjal3@xxxxxxxxx> wrote:
Hi,

We are working to upgrade our product to use Jetty 9.4.30.v20200611. We only use a subset of Jetty jars, primarily client jars to support HTTP/2 communication and we have a requirement to build the jetty jars from source. 

1. As part of this compilation process, we are analyzing the dependencies for each of the required artifacts.
To clarify, consider an example for jetty-client-9.4.30.v20200611
This link mentions the compile time and test dependencies, and this what I see in the source pom.xml files as well. Can we assume that there are no other runtime dependencies required for this jar?

2. Also since we only need a subset of jar files, we would not like to build the complete distribution. But I noticed that in order to build specific jar files, we first need to build the build-resources project that generates the build-resources-9.4.30.v20200611.jar and only after that can we proceed with building the specific jar files. Is this correct or is there another way to directly build only the specific artifacts?

Any inputs here would be highly appreciated.

Thanks
Neha
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-dev
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-dev

Back to the top