Updating documentation was what I was leaning towards, yeah.
Build servers (@apache, personal, work) all have the potential to fail.
If you have other teams integrating with the regular builds of Accumulo
(e.g. projects that build against nightly's of Accumulo), we also now
prevent them from building because Accumulo couldn't build. Yes, it's
still based around building Accumulo, but it can still cascade.
On 8/18/14, 11:06 AM, Sean Busbey wrote:
We could just update our developer docs to strongly suggest updating to
Maven 3.2.3, if we don't want to force it.
What kind of downstream issues are you expecting? AFAIK, the enforcer
section for the pom only gets used when building our repo, not when
building a project that uses us as a dep.
On Mon, Aug 18, 2014 at 9:41 AM, Josh Elser <[email protected]> wrote:
Yes - exactly.
Doing it in master only may alleviate some of the worry, but I imagine it
would still cause headache. For something that is already configurable by
<3.2.3 by users who want it, I can't get behind forcing a newer version to
just to get the default action changed.
On 8/18/14, 9:01 AM, Bill Havanki wrote:
A user with Maven pre-3.2.3 can configure the Maven Central URL to use
HTTPS by setting up a mirror in their settings.xml.
http://maven.apache.org/guides/mini/guide-mirror-settings.html
Josh, is your concern that folks won't be able to upgrade to 3.2.3?
On Sun, Aug 17, 2014 at 5:41 PM, Josh Elser <[email protected]> wrote:
I see a massive headache incoming doing this. Is there a middle ground we
can encourage people to use that isn't going to break everyone
downstream?
Can we make some recommendations to clients about how to use HTTPS
instead
of HTTP access to avoid the MITM attack (which I assume is the primary
reason for suggesting the update).
On 8/17/2014 4:57 PM, Sean Busbey wrote:
Now that Maven has released version 3.2.3 to default HTTPS access to
maven
central, anyone have an objection to updating our enforcer rules to
require
it?
http://maven.apache.org/docs/3.2.3/release-notes.html
