OFBiz › OFBiz - Dev

[jira] [Commented] (OFBIZ-6271) build management with maven

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

Nicolas Malin (Jira)

[jira] [Commented] (OFBIZ-6271) build management with maven

[ https://issues.apache.org/jira/browse/OFBIZ-6271?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14528552#comment-14528552 ]

Adam Heath commented on OFBIZ-6271:
-----------------------------------

Hahaha. That guy is an idiot. Seriously. Don't blame the tool for bad developers.

I gave a talk at ApacheCon just recently, showing how to use ofbiz and docker together. Do you think I just randomly download stuff from the internet, every single time? I don't, because I understand the point of trusted build, and security.

Docker itself is really really really bad for security on downloaded image layers. It has a message that says "verified" when it has fetched remote data, but the data was retrieved over http, and the hashsum in the metadata is *not* checked. All that verified message means is that the metadata was syntactically correct!

I rebuild my base image layers using debootstrap(I don't trust the debian or ubuntu image flavors). This is all based on apt-get stuff. The only thing I download is wp-cli, but that's not being fully utilized, and I don't actually download it automatically(it's a manual step, so could be verified by the developer).

So, I've taken this tool(docker), and used the parts that are good, and not the parts that are bad.

ps: This is not a rant at you, Jacques.

pps: I'm close to having my docker+ofbiz scripts ready. I have a repo already with most of my stuff on github, it just needs a bit of documentation.

> build management with maven
> ---------------------------
>
> Key: OFBIZ-6271
> URL: https://issues.apache.org/jira/browse/OFBIZ-6271
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL COMPONENTS
> Reporter: Adam Heath
> Priority: Minor
> Attachments: console.log
>
>
> This is a new build system; the primary goal will be to not require any changes to existing ofbiz layouts(for backwards compatibility, at least initially).
> These pom.xml files are completely new; the existing build.xml infrastructure will continue to exist. The existing build.xml will never call into maven(which is what processes the pom.xml), and maven will never call into build.xml either.
> I have already committed a working pom.xml for the top level, and framework/start. Shortly, I will be adding framework/base and framework/entity, but into this branch.

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)