[jira] [Commented] (OFBIZ-6271) build management with maven

Tue, 05 May 2015 07:48:31 -0700 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-6271?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14528552#comment-14528552
 ] 

Adam Heath commented on OFBIZ-6271:
-----------------------------------

Hahaha.  That guy is an idiot.  Seriously.  Don't blame the tool for bad 
developers.

I gave a talk at ApacheCon just recently, showing how to use ofbiz and docker 
together.  Do you think I just randomly download stuff from the internet, every 
single time?  I don't, because I understand the point of trusted build, and 
security.

Docker itself is really really really bad for security on downloaded image 
layers.  It has a message that says "verified" when it has fetched remote data, 
but the data was retrieved over http, and the hashsum in the metadata is *not* 
checked.  All that verified message means is that the metadata was 
syntactically correct!

I rebuild my base image layers using debootstrap(I don't trust the debian or 
ubuntu image flavors).  This is all based on apt-get stuff.  The only thing I 
download is wp-cli, but that's not being fully utilized, and I don't actually 
download it automatically(it's a manual step, so could be verified by the 
developer).

So, I've taken this tool(docker), and used the parts that are good, and not the 
parts that are bad.

ps: This is not a rant at you, Jacques.

pps: I'm close to having my docker+ofbiz scripts ready.  I have a repo already 
with most of my stuff on github, it just needs a bit of documentation.

> build management with maven
> ---------------------------
>
>                 Key: OFBIZ-6271
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6271
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL COMPONENTS
>            Reporter: Adam Heath
>            Priority: Minor
>         Attachments: console.log
>
>
> This is a new build system; the primary goal will be to not require any 
> changes to existing ofbiz layouts(for backwards compatibility, at least 
> initially).
> These pom.xml files are completely new; the existing build.xml infrastructure 
> will continue to exist.  The existing build.xml will never call into 
> maven(which is what processes the pom.xml), and maven will never call into 
> build.xml either.
> I have already committed a working pom.xml for the top level, and 
> framework/start.  Shortly, I will be adding framework/base and 
> framework/entity, but into this branch.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to