Eclipse-based builds exporting directly from eclipse.org Hudson to
third-party repositories is a violation of vendor neutrality. It's
perfectly fine to have eclipse.org artifacts in the Sonatype
repository; but having them automatically put there by a build
script running on an eclipse.org build server crosses the line.
How do we make this right? i.e. what do we have to do to make
maven.eclipse.org the right place for this stuff?
Wayne
On 12/09/2011 12:15 AM, Igor Fedorenko wrote:
We
(tycho developers) are setting up our Hudson job to deploy tycho
snapshot (a.k.a nightly) builds to oss.sonatype.org [1]. I know at
least
one other project (jetty) is interested in this too, so I'd like
to see
if we can agree on a common setup and make it easier for other
projects
to deploy to oss.sonatype.org. (you can probably skip the rest, if
don't
know what this means and are not a webmaster).
The problem boils down to managing credentials used by Hudson jobs
to
deploy to oss.sonatype.org. We can either have single shared
deployment
username/password or each project will manage their deployment
credentials independently.
There is a chance I am wrong on this, but from what I understand
all Hudson jobs run under the same OS userid. This I believe means
that
having one shared set of deployment credentials or per-project
deployment credentials does not make much difference from security
point
of view. In both cases, if one job is compromised, the attacker
will be
able to gain access to all deployment credentials.
From ease-of-use point of view single shared deployment
credentials is
certainly preferable, because it will need to be setup only once
and
then all projects that decide to deploy to oss.sonatype.org will
be able
to use it.
In practical term setting up shared deployment credentials means
the
following
1. Webmaster or myself will create username and password with
Sonatype.
2. Sonatype will allow the username deploy snapshot artifacts
under
org.eclipse.* groupId only (to limit the damage, should
credentials get
compromised)
3. The username and password will be stored in a settings.xml file
accessible by all Hudson jobs from all slaves.
4. In order to deploy to oss.sonatype.org, projects will need to
use
server id from the settings.xml
Setting up per-project deployment credentials requires exactly the
same,
only each project will need to do this separately and Sonatype
will use
project specific groupId, i.e. org.eclipse.tycho*. So it will
simply
mean more work for any new project without any real benefits.
What do you think?
[1]
https://docs.sonatype.org/display/Repository/Sonatype+OSS+Maven+Repository+Usage+Guide
--
Regards,
Igor
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
--
Wayne Beaton
The Eclipse Foundation
Twitter: @waynebeaton
 |
