Are maven jars safe? [closed] - maven-2

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
How can I convince my corp employer, than jars from the Maven repositories are safe for use? I've conducted a count of jars on my local repo and it came back as 552. My goal is to setup a corporate repository with approved jars, but I'd like to not have to submit hundreds and eventually thousands of software requests. any suggestions (other than find new emp)?

How can I convince my corp employer, than jars from the Maven repositories are safe for use?
Downloading a jar from a Maven repository is not less safe than downloading a jar from another location. In other words, Maven repositories don't really introduce a problem, the problem is your dependency on an external library.
Now, if your boss is really paranoid, he can always ask you to grab the sources of your 552 jars, audit them line by line, build them and install them in a repository of approved jars. That will "just" cost him a few dollars :)
But since most projects are open source, since they are transparent, since many eyes can inspect them, I personally believe that any malicious attacks would be detected pretty fast and that the cost isn't worth the risk (which is pretty low). Maybe I trust the community too much but, so far, it works.

Related

Really "basic" sorry... I Can't see how to create a simple EXE in VB.net. I Can't even see how to publish my app simply [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I have used VB5 extensively and it created exe files - easy to deploy without having to install much else. I will be really disappointed if my recent use of "modern" .net (I moved over for extra features) means I can't even create the age old simple exe file... What a pain! Hope I'm wrong...
When you build a project an exe file will appear by default in either the bin/Debug/ or bin/Release/ directory (depending on the build configuration) under your project every time you compile it.
It's not a "native" exe file though, so it will require the .NET Framework to be installed to run, however most relevant machines should already have at least some version installed.

Minecraft development : Where to find older Bukkit API documentation? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 6 years ago.
Improve this question
Had been stepping into Bukkit API development for a few months, most of the time I use the spigot website (https://hub.spigotmc.org/javadocs/bukkit/) to check for the APIs, last month when 1.11 released, the documentation was updated to v1.11 as well.
Due to not wanting to update the code to 1.11 at the current moment, where can I find the API documentation for Bukkit v1.10.2?
While I'm not aware of a site that contains the documentation for a previous version, the Maven repo for spigot does have source and documentation jars for each version that you should be able to attach to in your IDE.
If you want to manually set it up (or Maven refuses to work), you can manually find the jars here - first select your version, and then download the latest -javadoc.jar (which will be at the bottom of the page). You can unzip that jar (which contains HTML pages rather than source or classes) and then you'll have a copy of the javadocs from that version. In the case of 1.10.2, the jar you want is this one.
You could download the older CraftBukkit/Spigot builds and have them generate your own copy of the HTML-javadocs.
The 1.10 version can use the 1.7.2 API to create its plugin, the 1.11 version also works.
Althought the documentation is a little different, you can refer to the latest Spigot javadocs, as nothing changed. When developing plugins for 1.7.2, one can use the Spigot 1.11 docs and there won't be any problem
Latest Spigot Documentation
Bukkit 1.7.10 Documentation

How do I properly use NUGET, for MVC (ASP.NET) projects? [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I've learned that NUGET will "Always" download the latest package and how to use the -version switch. However, on a recent project where different developers had different SUO files (Visual Studio) they would have the need to add other NUGET content to satisfy Build errors. (Yes we shouldn't be doing that ).
But in attempting to clean up the mess, it seems as if NUGET does not clean up everything as it should. I validated this by debugging an issue and finding that the Web.Config still had bad references just last week. The problem of course is that the whole dependency chain on these packages is unknown! This creates circular dependency chains that are most likely the reason why when Uninstalling packages, there is left-over Dlls.
Here's a case in point, last week we were so hosed up, I decided to re-install MVC 4... Couldn't figure out how to do that simple task other than to compare my last known working version and individually download version specific dlls. And good luck in finding the more obscure packages which MSFT includes in their own MVC templates.
Just wondering, what do you do, to make this fool proof and what advise can you give me to become an "expert" at controlling my reference libraries?
I'd recommend setting 'Enable Nuget Package Restore' on your solution. Also ensure that nothing from the packages folder gets into source control. Let the package restore resolve the packages on each machine. Once you have some packages in Source control you are introducing headaches in managing them (versions, missing references etc.)

Git Submodules vs. Cocoapods [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
What are the advantages/disadvantages of using Cocoapods vs. Git Submodules? I am aware that there are several differences, but I would like to find out more about the advantages and disadvantages of using either system. Thanks!
Git submodules shouldn't be used for dependancy management. I suggest you to use Cocoapods.
Git Submodule
Pros
Basically a one liner to initiate it, no need for extra files / configuration.
Cons
You can't specify target directories, you always have to clone the whole repository.
When the repository moves you have to manually update it.
You have to check in the actual dependancies.
Cocoapods
Pros
Only clones the directories you need.
Easy to update / maintain.
You doesn't have to check in the whole dependancy tree, you just need to check in the Podfile and Podfile.lock. Every maintainer can fetch the dependancies on there own.
Cons
Depends on the Podfile in your Spec repository or the main spec repository.
Depends on an external tool.
You can read more about Cocoapods here.

Recommend Build Artifact Repository Manager [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
Currently we use FTP to maintain build artifact distribution and 3rd party products (for internal use only).
Artifacts are docs (HTML/pdf/chm/...), libs (.dll/.so/.a/.jar/...), programs (.exe/.jar/...) and anything else. They are not restricted to Java/.NET and can come from different cultures (firmware, driver, mobile/workstation, GUI, Win/Linux/Mac/Solaris/AIX,... etc).
To orginize hierarhy we use such paths:
ftp://3pp/VENDOR/PRODUCT/VERSION/...
ftp://3pp/opensource/PACKAGE-x.x.x.tar.bz2
ftp://dist/PRODUCT/VERSION/...
To maintain description of artifacts we use README and CHANGES plain test files (reStructuredText).
What is missing in this schema?
Missing permissions (anyone can damage storage).
Missing dependency tracking (so every build file must be updated if version dependency changed).
Missing fetching activity (some files seem no longer needed, but we don't know which).
I am not deeply looking for existing solutions. Some package manager like rpm/dpkg, heard about Maven repo etc...
Please recommend Build Artifact Repository Managers. Also it is good to hear drawbacks and restrictions.
UPDATE
https://en.wikipedia.org/wiki/Binary_repository_manager
https://binary-repositories-comparison.github.io/
You're creating a custom software artifact repository. There are three open-source projects which already do this:
Artifactory
Nexus
Archiva
Artifactory and Nexus also have paid versions.
You can store any kind of file in these repositories, and you don't need to use Maven. You can manually deploy artifacts to them. You can set up fine-grained access control. They integrate well with automated build tools.
I think using one of these tools would save you a lot of effort!
Here's fairly unbiased (community-driven) comparison matrix between the three.
With SVN + Apache (mod_dav_svn.so, mod_authz_svn.so) seems I get:
Anonymous read only access through HTTP protocol with wide range of
supported clients for downloading (wget/curl from GNU Make, task for
Apache Ant).
Easy maintainable write access for users/groups (easy syntax):
[repo:/path]
user = rw
through cadaver utility.
Integration with LDAP.
History of releases (when, what and who).
Atomic operation (prevent from concurrent releases and rollback on errors).