[tor-bugs] #16746 [metrics-lib]: Use a better tool than just Ant and Debian's package manager to manage dependencies
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Aug 9 14:45:33 UTC 2015
#16746: Use a better tool than just Ant and Debian's package manager to manage
dependencies
-----------------------------+---------------------
Reporter: karsten | Owner: karsten
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: metrics-lib | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
-----------------------------+---------------------
Comment (by karsten):
You're right about potential security issues. What I didn't mention above
is that I also looked at ways for verifying signatures of downloaded
artifacts. Maven Central does have `.asc` files that one can verify
manually. I didn't investigate further yet whether that process can be
automated.
Also, maybe I wasn't as clear about not only using Maven for metrics-lib
but also for all other projects depending on it, including Onionoo. Those
have more dependencies than just the two that metrics-lib currently has,
and it's in particular the transitive dependencies that I'd want Maven to
resolve.
But okay, I'm with you when you want to discuss what's to be improved
before making a change.
I think the main problem to be solved is that applications using metrics-
lib implicitly need to know which dependencies metrics-lib has, and
provide them. For example, Onionoo needs to provide commons-compress.jar
in its classpath when it uses metrics-lib. Even worse, Onionoo will start
without that jar file in its classpath and break as soon as it uses
functionality of metrics-lib that depends on commons-compress. The idea
of using Maven for both Onionoo and metrics-lib was that this transitive
dependency would be resolved automatically.
Can you think of improvements to the current build process that helps with
that?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16746#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list