Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Build logs "Downloading from shibboleth-repo: .." #27358

Closed
Sanne opened this issue Aug 18, 2022 · 0 comments · Fixed by #27359
Closed

Build logs "Downloading from shibboleth-repo: .." #27358

Sanne opened this issue Aug 18, 2022 · 0 comments · Fixed by #27359
Assignees
Labels
area/build area/persistence OBSOLETE, DO NOT USE area/securepipeline issues related to ensure Quarkus can be used in a secure pipeline setups like FIPS or similar kind/enhancement New feature or request
Milestone

Comments

@Sanne
Copy link
Member

Sanne commented Aug 18, 2022

Describe the bug

When building a Quarkus application using the MSSQL JDBC driver, this dependency is pulling in an additional dependency com.nimbusds:oauth2-oidc-sdk whose pom.xml defines an additional Maven repository <id>shibboleth-repo</id>.

This additional repository gets activated, as evidenced by the log:

Downloading from shibboleth-repo: https://build.shibboleth.net/nexus/content/repositories/releases/net/minidev/json-smart/maven-metadata.xml

Fetched metadata also actually pollute the local build repository; I'm considering this a problem as we don't want additional repositories being activated behind user's back:

  • they might not trust it (although this one looks sane)
  • it slows down other aspects of the build
  • it makes it harder to configure proxies and mirrors for firewalled builds

In general it's a bad practice to have such repositories in a pom as it leads to supply chain concerns.

@Sanne Sanne added kind/bug Something isn't working area/persistence OBSOLETE, DO NOT USE area/build labels Aug 18, 2022
@Sanne Sanne self-assigned this Aug 18, 2022
@sberyozkin sberyozkin added the area/securepipeline issues related to ensure Quarkus can be used in a secure pipeline setups like FIPS or similar label Aug 18, 2022
@Sanne Sanne added kind/enhancement New feature or request and removed kind/bug Something isn't working labels Aug 18, 2022
@quarkus-bot quarkus-bot bot added this to the 2.13 - main milestone Aug 18, 2022
@gsmet gsmet modified the milestones: 2.13 - main, 2.12.0.Final Aug 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/build area/persistence OBSOLETE, DO NOT USE area/securepipeline issues related to ensure Quarkus can be used in a secure pipeline setups like FIPS or similar kind/enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants