[tor-bugs] #16746 [metrics-lib]: Use a better tool than just Ant and Debian's package manager to manage dependencies

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Aug 9 14:11:06 UTC 2015 

#16746: Use a better tool than just Ant and Debian's package manager to manage
dependencies
-----------------------------+---------------------
     Reporter:  karsten      |      Owner:  karsten
         Type:  enhancement  |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  metrics-lib  |    Version:
   Resolution:               |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+---------------------

Comment (by iwakeh):

 I would first list what should be improved and then look for a way to
 accomplish things.


 == Thoughts about Maven
 * Why introduce the necessity to depend on maven-central? See their
 [https://repo1.maven.org/terms.html terms]: basically anyone can upload,
 nothing is screened, and there is no quality/security control whatever.
 Usually, software companies that are serious about reproducibility,
 quality, and security issues maintain their own "hand-collected" manually
 screened repositories inside the company net. It's easy to infer what and
 how you build just tracing the maven dependency requests and the like.

 * Maven is very powerful. So using it for the current Onionoo setup would
 work, but take a look at the pom.xml of just the maven-compiler-plugin
 (and all other deps). Does that look like neat and clean dependency
 management?

 * metrics-lib only needs two libs to be compiled (after you got rid of
 commons-codec). How many artifacts do you download with your maven build?
 Take a look at all the pom.xmls. What do they do? What does the code you
 downloaded do? etc.



 == Goals for the build process (ordered at random)
 This is of course also valid for the other java projects.

 * ease of development
 * security
 * reproducibility
 * clear dependency handling

 === Ways to accomplish (there are more of course)
 Whoever compiles metrics-lib (or any other Java project) knows how to
 adapt the path {{{/usr/share/java/}}}in build.xml to the path they use for
 the required libs.^([#fn1 '1'])^ So debian is not really a dependency.

 A well written build.xml with clear versioning for external libs will make
 the build process easy. (I think I mentioned that before in a ticket,
 can't find it right now)

 Reproducibility should be added (to all java Tor projects) by using Java
 jar signing and the like.

 My two cents.
 Well, sounds like I'm strongly opposed to the switch.

 ------
 [=#fn1 1]: or they should learn about it :-)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16746#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list