[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [orbit-dev] Impact for Orbit of recent PDE and Tycho extensions to consume Maven libs directly?
|
On Thu, 2021-01-14 at 16:06 +0100, Gunnar Wagenknecht wrote:
> Lars,
>
> I think the AC is the better body to discuss this. I've added it to
> the agenda for our call today.
>
> FWIW, I believe as long as there are projects consuming Orbit it will
> exists. However, one of the goals for EBR was always to be able to
> consume Maven artifacts within the same reactor build. Thus, these
> are great new features in Tycho.
>
> It lacks a few features with regards to generating high quality
> manifests. Maybe EBR recipes can be fetched dynamically as templates
> and taken into account when generating the bundles?
>
> From a legal perspective ... the about/ip information needs to be
> added. But I'm not sure this is still a strong requirements. We don't
> do this for dependencies in other ecosystems (eg., JavaScript NPM).
> Thus, we might be able to lift that.
>
> With regards to signing this is a grey area. My current thinking is
> that once artifacts are no longer consumed from Eclipse.org they must
> not be signed with an Eclipse.org certificate. But I don't see any
> issue with distributing unsigned 3rd party content in the same way
> Maven Central distributes jars (hash validation and TLS transfer).
(didn't see this until I posted my thoughts, but glad we see the same
potential issues)
I think if the about.html/about_files inclusion and signing criteria
can be relaxed under these conditions, it would make adoption much
easier.
--
Roland Grunberg