Pull out Atlassian Crowd from Roller?

Tue, 06 Aug 2013 09:11:30 -0700

Hi Team, I was looking at simplifying the number of external repositories that Roller relies on, with the hopes that everything it needs it can find from Maven Central, speeding up initial downloads and builds in the process. (I think it's also a good selling point for Roller that it can be built purely with the vanilla deps from Central.) And we've gone from 5 to 2 repos in our app/pom.xml: just Central and Atlassian's, the latter needed (https://developer.atlassian.com/display/CROWDDEV/Maven+2+Integration) only for the Atlassian Crowd SSO dependencies added in February 2012 based on a donation from Nick Padilla (https://issues.apache.org/jira/browse/ROL-1933).
I'd like to remove Crowd support from Roller--I have no problem with accepting patches that facilitate linkage with external SSO solutions, including commercial ones like Crowd (https://www.atlassian.com/software/crowd/overview), but directly incorporating this solution into Roller is problematic, namely: 


1.) According to the Crowd site, their JARs are not open source but 
proprietary: 
https://www.atlassian.com/licensing/purchase-licensing#source-2 and the 
source code is not freely available.  The Atlassian repo does not supply 
the source code: 
https://maven.atlassian.com/content/repositories/atlassian-public/com/atlassian/crowd/crowd-integration-client-rest/2.4.0/. 
So I don't think we can incorporate their JARs (no more than we could 
those of WebLogic or WebSphere) into Roller distributions. Even LGPL is 
out of the question with Apache, proprietary JARs without source can't 
be much better.



2.) I don't see how we can maintain this dependency.  It's using 2.4.0 
and 18 months later Crowd is up to 2.6.4, and about to ship 2.7.0.  
Nobody here has the time or inclination to study up on Atlassian 
proprietary products to keep the code up-to-date (let alone register for 
Crowd access and accept a bunch of legalese to test it), nor are we in a 
position to say that the supplied code is safe and reliable to use.  
There are open source SSO solutions -- Apache Syncope maybe -- that 
might be healthier for Roller to provide built-in support in the future for.



Nick's Crowd implementation consists of just two small classes in 
Roller, I think he can just post those classes on GitHub, and add a 
reference to them from the Apache Roller Wiki site about how to hack 
Roller to put those classes & dependencies in for the small minority 
using Crowd.  (I've checked Nick's two websites, he doesn't appear to be 
using Roller today anyway, however he may be for an internal solution, I 
don't know.)  WDYT?


Regards,
Glen























					Reply via email to