Re: [orbit-dev] Impact for Orbit of recent PDE and Tycho extensions to c

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [orbit-dev] Impact for Orbit of recent PDE and Tycho extensions to consume Maven libs directly?

From: Philip Wenig <philip.wenig@xxxxxxxxxxxxx>
Date: Fri, 15 Jan 2021 06:15:26 +0100
Delivered-to: orbit-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/orbit-dev/>
List-help: <mailto:orbit-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/orbit-dev>, <mailto:orbit-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/orbit-dev>, <mailto:orbit-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0

Adding the about/ip information shouldn't be a problem as the IPzillaissue id could be simply typed in a field when adding the m2 dependency.A drawback could be here, that each user needs to resolve all necessaryids by his/her own. That's a benefit of using Orbit.

A question would be, where the about.html/about_files are located? Theyare not available on Maven central, am I right? Locally? Couldn't thatlead to a duplication and probably incorrect entries? The benefit ofOrbit is, IMHO, that these pieces of information are peer reviewed.



Am 14.01.21 um 16:34 schrieb Roland Grunberg:

On Thu, 2021-01-14 at 16:06 +0100, Gunnar Wagenknecht wrote:

Lars,

I think the AC is the better body to discuss this. I've added it to
the agenda for our call today.

FWIW, I believe as long as there are projects consuming Orbit it will
exists. However, one of the goals for EBR was always to be able to
consume Maven artifacts within the same reactor build. Thus, these
are great new features in Tycho.

It lacks a few features with regards to generating high quality
manifests. Maybe EBR recipes can be fetched dynamically as templates
and taken into account when generating the bundles?

 From a legal perspective ... the about/ip information needs to be
added. But I'm not sure this is still a strong requirements. We don't
do this for dependencies in other ecosystems (eg., JavaScript NPM).
Thus, we might be able to lift that.

With regards to signing this is a grey area. My current thinking is
that once artifacts are no longer consumed from Eclipse.org they must
not be signed with an Eclipse.org certificate. But I don't see any
issue with distributing unsigned 3rd party content in the same way
Maven Central distributes jars (hash validation and TLS transfer).

(didn't see this until I posted my thoughts, but glad we see the same
potential issues)

I think if the about.html/about_files inclusion and signing criteria
can be relaxed under these conditions, it would make adoption much
easier.


--
~~~~~~~~~~~~~~~~~~~~~~~~
OpenChrom - the open source alternative for chromatography / mass spectrometry
Dr. Philip Wenig » Founder » philip.wenig@xxxxxxxxxxxxx » http://www.openchrom.net
~~~~~~~~~~~~~~~~~~~~~~~~

References:
- [orbit-dev] Impact for Orbit of recent PDE and Tycho extensions to consume Maven libs directly?
  - From: Lars Vogel
- Re: [orbit-dev] Impact for Orbit of recent PDE and Tycho extensions to consume Maven libs directly?
  - From: Gunnar Wagenknecht
- Re: [orbit-dev] Impact for Orbit of recent PDE and Tycho extensions to consume Maven libs directly?
  - From: Roland Grunberg

Prev by Date: Re: [orbit-dev] Impact for Orbit of recent PDE and Tycho extensions to consume Maven libs directly?
Next by Date: Re: [orbit-dev] Impact for Orbit of recent PDE and Tycho extensions to consume Maven libs directly?
Previous by thread: Re: [orbit-dev] Impact for Orbit of recent PDE and Tycho extensions to consume Maven libs directly?
Next by thread: Re: [orbit-dev] Impact for Orbit of recent PDE and Tycho extensions to consume Maven libs directly?
Index(es):
- Date
- Thread

Breadcrumbs