Add design for fetching maven artifacts #663
Conversation
|
|
||
| Example: | ||
| ``` | ||
| cachi2 fetch-deps --source /path/to/sources '[{"type": "generic"}]' |
There was a problem hiding this comment.
Thank you for the example! There is no mention of a lock file here. Does this mean that a lock file will always reside in same location? Is there an agreement on where to put it and who would do that?
There was a problem hiding this comment.
At this time, yes. The generic lockfile is assumed to be present in the root of the cloned input repository. Here's a link to the code
There was a problem hiding this comment.
Who will put it there?
There was a problem hiding this comment.
Not sure I understand where this question is going. It should be commited directly in the repository. An user that wants to use cachi2's maven artifact feature would do that
| sense to extend the existing lockfile with support for maven purls. The only difference would be in the output SBOM where | ||
| maven artifacts would be reported as `pkg:maven`, instead of `pkg:generic`. | ||
|
|
||
| There is an open question of how the UX should be. I will try to list the available options with some pros and cons. |
There was a problem hiding this comment.
Maybe we need to add a 3rd option here (or change the 2nd): have a separate lockfile, even if it follows the same format as the generic one. That was what I envisioned at first, and the reason is that I don't think we want folks extending the generic fetcher to cover specific use cases.
So I think the bulk of the discussion here is: how extensible we want generic to be? If we are fine with some special cases (we can't be sure maven will be the only one), then I'd say option 1 is fine. Otherwise, we might want a fully separate package manager.
There was a problem hiding this comment.
In my opinion, the part that changes is:
- how you compute the download url (meaning, the list of accepted purl types might be expanded later)
- what the output SBOM component is (depends on the above)
So I'd argue that since the underlying mechanism does not change, it should stay as one package manager.
kosciCZ
force-pushed
the
maven-design
branch
2 times, most recently
from
573223b
to
4769c3b
Compare
Signed-off-by: Jan Koscielniak <[email protected]>
Hey folks, this is an followup to #652, which extends generic fetching with the support for maven artifacts. I've tried to roughly outline how this will work and how it will integrate with other cachi2 features. Let me know what you think.
Maintainers will complete the following section
Note: if the contribution is external (not from an organization member), the CI
pipeline will not run automatically. After verifying that the CI is safe to run:
/ok-to-test(as is the standard for Pipelines as Code)