-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add design for fetching maven artifacts #663
base: main
Are you sure you want to change the base?
Conversation
|
||
Example: | ||
``` | ||
cachi2 fetch-deps --source /path/to/sources '[{"type": "generic"}]' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the example! There is no mention of a lock file here. Does this mean that a lock file will always reside in same location? Is there an agreement on where to put it and who would do that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At this time, yes. The generic lockfile is assumed to be present in the root of the cloned input repository. Here's a link to the code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Who will put it there?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure I understand where this question is going. It should be commited directly in the repository. An user that wants to use cachi2's maven artifact feature would do that
sense to extend the existing lockfile with support for maven purls. The only difference would be in the output SBOM where | ||
maven artifacts would be reported as `pkg:maven`, instead of `pkg:generic`. | ||
|
||
There is an open question of how the UX should be. I will try to list the available options with some pros and cons. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we need to add a 3rd option here (or change the 2nd): have a separate lockfile, even if it follows the same format as the generic one. That was what I envisioned at first, and the reason is that I don't think we want folks extending the generic fetcher to cover specific use cases.
So I think the bulk of the discussion here is: how extensible we want generic
to be? If we are fine with some special cases (we can't be sure maven will be the only one), then I'd say option 1 is fine. Otherwise, we might want a fully separate package manager.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In my opinion, the part that changes is:
- how you compute the download url (meaning, the list of accepted purl types might be expanded later)
- what the output SBOM component is (depends on the above)
So I'd argue that since the underlying mechanism does not change, it should stay as one package manager.
573223b
to
4769c3b
Compare
Signed-off-by: Jan Koscielniak <[email protected]>
Hey folks, this is an followup to #652, which extends generic fetching with the support for maven artifacts. I've tried to roughly outline how this will work and how it will integrate with other cachi2 features. Let me know what you think.
Maintainers will complete the following section
Note: if the contribution is external (not from an organization member), the CI
pipeline will not run automatically. After verifying that the CI is safe to run:
/ok-to-test
(as is the standard for Pipelines as Code)