[ZEPPELIN-404] Certain project dependencies are pulled from 3rd parties repos instead of ASF or public Maven - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: 0.5.0
Fix Version/s: 0.5.5
Component/s: build
Labels:
None

Description

Looking at the source code I see that
spark/pom.xml
lens/pom.xml
spark-dependencies/pom.xml
use cloudera's repo for the dependency resolution. All these projects are Apache TLPs, hence their artifacts and their dependencies should be pulled either from ASF server or public Maven server.

We shouldn't be pulling Apache projects dependencies from a 3rd party source that could be outdated, contain non-Apache bits or outright malicious artifacts.

Attachments

Activity

People

Assignee:: Lee Moon Soo

Reporter:: Konstantin I Boudnik

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 07/Nov/15 23:45

Updated:: 10/Nov/15 17:10

Resolved:: 09/Nov/15 01:30