Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orbit-dev] Impact for Orbit of recent PDE and Tycho extensions to consume Maven libs directly?

On Thu, 2021-01-14 at 16:06 +0100, Gunnar Wagenknecht wrote:
> Lars,
> I think the AC is the better body to discuss this. I've added it to
> the agenda for our call today.
> FWIW, I believe as long as there are projects consuming Orbit it will
> exists. However, one of the goals for EBR was always to be able to
> consume Maven artifacts within the same reactor build. Thus, these
> are great new features in Tycho. 
> It lacks a few features with regards to generating high quality
> manifests. Maybe EBR recipes can be fetched dynamically as templates
> and taken into account when generating the bundles?
> From a legal perspective ... the about/ip information needs to be
> added. But I'm not sure this is still a strong requirements. We don't
> do this for dependencies in other ecosystems (eg., JavaScript NPM).
> Thus, we might be able to lift that.
> With regards to signing this is a grey area. My current thinking is
> that once artifacts are no longer consumed from they must
> not be signed with an certificate. But I don't see any
> issue with distributing unsigned 3rd party content in the same way
> Maven Central distributes jars (hash validation and TLS transfer).

(didn't see this until I posted my thoughts, but glad we see the same
potential issues)

I think if the about.html/about_files inclusion and signing criteria
can be relaxed under these conditions, it would make adoption much

Roland Grunberg

Back to the top