Evaluating Archive Managers - can Artifactory do this?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Evaluating Archive Managers - can Artifactory do this?

ChrisY

Hi, The company I work for are currently performing maven builds using a
file-based repository on a shared drive. We would like the libraries to be
under some form of configuration management, and are evaluating Nexus,
Artifactory, and Archiva - selected simply because they are mentioned on the
Maven site. The requirements that we have are:

Not Automatically Fetching Libraries
We would like to be able to set up a repository that does not automatically
download a new library just because a developer specifies it in a .pom file.
We would like an administrator to have to add the file to the repository
deliberately. The initial archive would ideally be populated first from our
file-based repository, alternatively a build could force an initial fetch
then the archive configured not to fetch automatically.<br />

The reason that we want this is so that if a third party changes a library
without changing the version number we won't pick up the new version
unknowingly. Also we want to ensure that only known libraries and versions
are in a build.<br />

Auditing of changes to repository
With information about who does what when. Ideally it would be nice to
enable the administrator to add a comment, so they could say why and for
which project

"Normal" archiving of plug-ins
The archive should ideally act as a cache for plug-ins, downloading from the
internet when required.

Security model for Administrators
Basically only administrators should be able to add or remove libraries or
versions from the repository.

I am looking at Artifactory to see how it can achieve the above. Any
pointers on what can/can't be done and how it can be achieved would be
welcome. I have had a response from Nexus saying that the Pro edition is
required to achieve the first requirement, and the second can only be
achieved by using some third party package to read the RSS feed.

Thanks,
Chris
--
View this message in context: http://www.nabble.com/Evaluating-Archive-Managers---can-Artifactory-do-this--tp24167058p24167058.html
Sent from the Artifactory-Users mailing list archive at Nabble.com.


------------------------------------------------------------------------------
Are you an open source citizen? Join us for the Open Source Bridge conference!
Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250.
Need another reason to go? 24-hour hacker lounge. Register today!
http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
_______________________________________________
Artifactory-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/artifactory-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Evaluating Archive Managers - can Artifactory do this?

Turbo-2

Hi,

I cannot answer all your question, but I'll try to help with what I know..


ChrisY wrote:

>
> Not Automatically Fetching Libraries
> We would like to be able to set up a repository that does not
> automatically download a new library just because a developer specifies it
> in a .pom file. We would like an administrator to have to add the file to
> the repository deliberately. The initial archive would ideally be
> populated first from our file-based repository, alternatively a build
> could force an initial fetch then the archive configured not to fetch
> automatically.<br />
>

This happens for sure with artifactory, from what I tested it works in nexus
and archiva too.



ChrisY wrote:
>
> Auditing of changes to repository
> With information about who does what when. Ideally it would be nice to
> enable the administrator to add a comment, so they could say why and for
> which project
>

At the moment there's no chance to get something like that in artifactory,
on the other side nexus and archiva both have rss feeds.
Nexus has several different feeds for updated, broken,.. artifacts. Archiva
has a smaller set of feeds.
I don't think you can add comments, but I ain't sure.



ChrisY wrote:
>
> Security model for Administrators
> Basically only administrators should be able to add or remove libraries or
> versions from the repository.
>

In all 3 there is the possibility to define roles and prevent users to do
stuff.
Artifactory is the easiest, but, seems to me, is also the more limited of
the 3.



One thing I don't like about artifactory is the fact that the artifacts are
stored in a DB, whereas in nexus and archiva they are stored in the file
system.


I hope this helps a little

rgds
Turbo

--
View this message in context: http://www.nabble.com/Evaluating-Archive-Managers---can-Artifactory-do-this--tp24167058p24167318.html
Sent from the Artifactory-Users mailing list archive at Nabble.com.


------------------------------------------------------------------------------
Are you an open source citizen? Join us for the Open Source Bridge conference!
Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250.
Need another reason to go? 24-hour hacker lounge. Register today!
http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
_______________________________________________
Artifactory-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/artifactory-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Evaluating Archive Managers - can Artifactory do this?

Yoav Landman
Administrator
In reply to this post by ChrisY
Hi Chris,

See my answers inline.

Thanks,

Yoav

On Tue, Jun 23, 2009 at 5:32 PM, ChrisY <[hidden email]> wrote:

Hi, The company I work for are currently performing maven builds using a
file-based repository on a shared drive. We would like the libraries to be
under some form of configuration management, and are evaluating Nexus,
Artifactory, and Archiva - selected simply because they are mentioned on the
Maven site. The requirements that we have are:

Not Automatically Fetching Libraries
We would like to be able to set up a repository that does not automatically
download a new library just because a developer specifies it in a .pom file.
We would like an administrator to have to add the file to the repository
deliberately. The initial archive would ideally be populated first from our
file-based repository, alternatively a build could force an initial fetch
then the archive configured not to fetch automatically.<br />

The reason that we want this is so that if a third party changes a library
without changing the version number we won't pick up the new version
unknowingly. Also we want to ensure that only known libraries and versions
are in a build.<br />

This fully supported and we actually have a large number of users using this setup of a "blessed" repository that can only be populated by certain roles.



Auditing of changes to repository
With information about who does what when. Ideally it would be nice to
enable the administrator to add a comment, so they could say why and for
which project

This is supported in the upcoming version. Currently you have detailed audit logs that capture any change on the repository.
 


"Normal" archiving of plug-ins
The archive should ideally act as a cache for plug-ins, downloading from the
internet when required.

Sure.


Security model for Administrators
Basically only administrators should be able to add or remove libraries or
versions from the repository.

Artifactory has a simple but powerful security model. AFAIK it is the only repo manager today supporting subdomain-admins (allowing users to assign permisssions to other users on dedicated subsections of the repo) and view of effective permissions per role and repo path.



I am looking at Artifactory to see how it can achieve the above. Any
pointers on what can/can't be done and how it can be achieved would be
welcome. I have had a response from Nexus saying that the Pro edition is
required to achieve the first requirement, and the second can only be
achieved by using some third party package to read the RSS feed.

Thanks,
Chris
--
View this message in context: http://www.nabble.com/Evaluating-Archive-Managers---can-Artifactory-do-this--tp24167058p24167058.html
Sent from the Artifactory-Users mailing list archive at Nabble.com.


------------------------------------------------------------------------------
Are you an open source citizen? Join us for the Open Source Bridge conference!
Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250.
Need another reason to go? 24-hour hacker lounge. Register today!
http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
_______________________________________________
Artifactory-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/artifactory-users


------------------------------------------------------------------------------

_______________________________________________
Artifactory-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/artifactory-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Evaluating Archive Managers - can Artifactory do this?

ChrisY

Thanks
That is very useful.
 Chris



Yoav  Landman wrote:

>
> Hi Chris,
>
> See my answers inline.
>
> Thanks,
>
> Yoav
>
> On Tue, Jun 23, 2009 at 5:32 PM, ChrisY <[hidden email]> wrote:
>
>>
>> Hi, The company I work for are currently performing maven builds using a
>> file-based repository on a shared drive. We would like the libraries to
>> be
>> under some form of configuration management, and are evaluating Nexus,
>> Artifactory, and Archiva - selected simply because they are mentioned on
>> the
>> Maven site. The requirements that we have are:
>>
>> Not Automatically Fetching Libraries
>> We would like to be able to set up a repository that does not
>> automatically
>> download a new library just because a developer specifies it in a .pom
>> file.
>> We would like an administrator to have to add the file to the repository
>> deliberately. The initial archive would ideally be populated first from
>> our
>> file-based repository, alternatively a build could force an initial fetch
>> then the archive configured not to fetch automatically.<br />
>>
>> The reason that we want this is so that if a third party changes a
>> library
>> without changing the version number we won't pick up the new version
>> unknowingly. Also we want to ensure that only known libraries and
>> versions
>> are in a build.<br />
>
>
> This fully supported and we actually have a large number of users using
> this
> setup of a "blessed" repository that can only be populated by certain
> roles.
>
>
>>
>> Auditing of changes to repository
>> With information about who does what when. Ideally it would be nice to
>> enable the administrator to add a comment, so they could say why and for
>> which project
>
>
> This is supported in the upcoming version. Currently you have detailed
> audit
> logs that capture any change on the repository.
>
>
>>
>>
>> "Normal" archiving of plug-ins
>> The archive should ideally act as a cache for plug-ins, downloading from
>> the
>> internet when required.
>
>
> Sure.
>
>>
>>
>> Security model for Administrators
>> Basically only administrators should be able to add or remove libraries
>> or
>> versions from the repository.
>
>
> Artifactory has a simple but powerful security model. AFAIK it is the only
> repo manager today supporting subdomain-admins (allowing users to assign
> permisssions to other users on dedicated subsections of the repo) and view
> of effective permissions per role and repo path.
>
>
>>
>> I am looking at Artifactory to see how it can achieve the above. Any
>> pointers on what can/can't be done and how it can be achieved would be
>> welcome. I have had a response from Nexus saying that the Pro edition is
>> required to achieve the first requirement, and the second can only be
>> achieved by using some third party package to read the RSS feed.
>>
>> Thanks,
>> Chris
>> --
>> View this message in context:
>> http://www.nabble.com/Evaluating-Archive-Managers---can-Artifactory-do-this--tp24167058p24167058.html
>> Sent from the Artifactory-Users mailing list archive at Nabble.com.
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Are you an open source citizen? Join us for the Open Source Bridge
>> conference!
>> Portland, OR, June 17-19. Two days of sessions, one day of unconference:
>> $250.
>> Need another reason to go? 24-hour hacker lounge. Register today!
>>
>> http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
>> _______________________________________________
>> Artifactory-users mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/artifactory-users
>>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Artifactory-users mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/artifactory-users
>
>

--
View this message in context: http://www.nabble.com/Evaluating-Archive-Managers---can-Artifactory-do-this--tp24167058p24198881.html
Sent from the Artifactory-Users mailing list archive at Nabble.com.


------------------------------------------------------------------------------
_______________________________________________
Artifactory-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/artifactory-users
Loading...