[
https://issues.apache.org/jira/browse/OFBIZ-6271?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14529135#comment-14529135 ]
Ron Wheeler commented on OFBIZ-6271:
------------------------------------
I did not say that it was a good idea for us:-)
It is a solution for the truly paranoid who does not want to include any jars from a public repo and wants to build everything including transitive dependencies from sources downloaded from the author.
It is a middle ground for companies that currently forbid the use of any open source software for security reasons.
It would make the inclusion of any open source project very explicit which might make an auditor or risk manager sufficiently comfortable to allow some open source libraries into a closed shop.
It is a lot more work but not unmanageable. Certainly more efficient than banning open source or not using Maven.
Once you have the initial repo populated and want to upgrade a version, you would have to look at the transitive dependencies and rebuild all of those that also changed. If you removed the old versions at the same time, you would quickly find dependencies on the older versions so you could fix those as well.
I would suspect that the repo would be a couple of gigs but not tens of gigs.
Our repo is under 4 gigs with all our stuff as well as the dependencies downloaded over the past 8 years. (13 versions of Ant, 10 version of commons-logging, 9 versions of poi, 12 versions of jackrabbit).
We probably use over 100 external jars in our largest app which is made up of over 70 Maven projects.
So I would not be worried about the size of a private OFBiz repo.
This approach would not interfere with Maven at all.
Maven has no idea how my Nexus repo finds all the artifacts in my builds.
It refers to a single virtual repo in settings.xml and the repo administrator (me in our case) defines the contents of that virtual repo.
The fact that our Nexus includes both proxied artifacts from a few other repos besides Maven Central and our own hosted repo is hidden from Maven.
It just asks our repo for stuff and the artifacts get downloaded to the developer's cache transparently to the developer.
> build management with maven
> ---------------------------
>
> Key: OFBIZ-6271
> URL:
https://issues.apache.org/jira/browse/OFBIZ-6271> Project: OFBiz
> Issue Type: Improvement
> Components: ALL COMPONENTS
> Reporter: Adam Heath
> Priority: Minor
> Attachments: console.log
>
>
> This is a new build system; the primary goal will be to not require any changes to existing ofbiz layouts(for backwards compatibility, at least initially).
> These pom.xml files are completely new; the existing build.xml infrastructure will continue to exist. The existing build.xml will never call into maven(which is what processes the pom.xml), and maven will never call into build.xml either.
> I have already committed a working pom.xml for the top level, and framework/start. Shortly, I will be adding framework/base and framework/entity, but into this branch.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
