[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[Fwd: Re: [iam-dev] Re: [technology-pmc] Eclipse IAM: Possible need for 3rd party dependency approval]
|
FYI,
-------- Original Message --------
Subject: Re: [iam-dev] Re: [technology-pmc] Eclipse IAM: Possible need
for 3rd party dependency approval
Date: Thu, 18 Dec 2008 11:09:39 -0500
From: Wayne Beaton <wayne@xxxxxxxxxxx>
To: IAM development conversations <iam-dev@xxxxxxxxxxx>
References:
<5f815e320812100224u25dfa113pd00d7a454af07302@xxxxxxxxxxxxxx>
<493FE85E.5060306@xxxxxxxxxxx>
<F688D12C-C914-4444-9EC2-3B6E2D434C56@xxxxxxxxx>
<4942B459.9000602@xxxxxxxxxxx>
<5370BF6A-BD57-4ADB-B4C4-B5133660FD73@xxxxxxxxx>
Hi Abel.
It sounds to me like the "central Maven repository" is a potential
"exempt pre-requisite". Which means that IAM should be able to include
some knowledge of how to find and access that respository. Ultimately,
we'll need to get EMO approval on that.
Further, my sense is that by adding a link to another repository (or
however it is that you do this sort of thing), the user is giving IAM
explicit permission to access the archetypes available from that repository.
FWIW, it's true that p2 can be used to install arbitrary things without
the user's consent. However, that's not how it *is* being used (or
rather how it should be used by an Eclipse project). A company could
take p2 and use it as part of their project to install whatever they
want; this would be an issue between that company and their end users.
Does this make sense/help?
Wayne
Abel Muiño Vizcaino wrote:
Hello Wayne,
El 12/12/2008, a las 19:58, Wayne Beaton escribió:
Does the user enter the URL for the Archetype, or is the URL somehow
embedded in the software?
If the URLs are provided by the user, then there should be no problem.
It is a bit complicated... there is not such thing as "the URL". The
user only declares the archetype to use. That declaration is then
looked up in an artifact repository (by default maven central
repository, but it is considered good practice to use a corporate
"mirror"). The actual repository used depends on a set of rules set by
the end user.
I've been thinking that writing an overview of how IAM/maven operates
and relate that to the policy for 3rd party dependencies
(http://www.eclipse.org/org/documents/Eclipse_Policy_and_Procedure_for_3rd_Party_Dependencies_Final.pdf)
could help us moving forward. What do you think?
If the IAM project contains built-in URLs to existing repositories,
then we'll need a works-with CQ (probably one for each URL, but this
may require additional thought). We'll have to get EMO agreement.
It should not be a problem from our side if it is limited to the url
or the maven central repository. However, as noted above, that
repository might not be used at all (and as stated previously, it is
impossible to review every possible artifact in a maven repository).
In either case, the download needs to be obvious. We need IAM to show
a dialog saying something to the effect of "you're about to download
some code not vetted by the Eclipse IP process" or something to that
effect (it might be enough to say that the code is "external"). If
the thing being downloaded has a license attached to it, the user
needs to be given an explicit opportunity to view and accept that
license.
Technically, that can be done, although I'm very worried about the
resulting user experience. What would you consider "obvious"? Showing
the download progress? A note on the user interface?
FWIW, Buckminster and P2 both do this.
No attack intended on any of these projects.
But we use the P2 director (headless) application to assemble out
target platform (installing EPL'ed and non EPL'ed bundles) and it does
not show any license agreement.
And I strongly believe that this is the right thing to do (from an
end-user point of view, I've explicitly declared what I want to use,
so I know what I'm getting into).