FYI: <https://www.sonatype.com/blog/maven-central-...
# dependency-managementt
Tapchicoma
07/02/2024, 2:55 PM😱 5
thank you 1
4️⃣ 1
2️⃣ 1
9️⃣ 1
c
Chris Lee
07/02/2024, 4:10 PMnot mentioned in the article: ephemeral build systems are a common cause of needing to re-download artifacts/dependencies from source (in combination with not using a caching repository proxy). Educating users on how to cache dependencies in common ephemeral cases would help.
For example, a few extra lines in a GitHub Actions workflow will enable Gradle caching of resolved artifacts with the setup-gradle action.
➕ 3
d
Darryl Miles
07/02/2024, 8:20 PMBut why can't we have a signed content distribution mechanism, so that a CI such github can allow users to share a regular caching proxy and properly validate the content they received.
Then extend this to help mitigate supply chain concerns with all publications.
Setup Gradle action only improves that one workflow while it stores the cache data.
Also no breakdown in article in client technology in use at worst offenders, maybe Gradle is not the cause of the problem, but Maven due to it being difficult (and tedious) to solve the problem on a cloud hosted CI platform.
c
Chris Lee
07/03/2024, 12:25 AMIt would be helpful to see a breakdown by say user agent (Gradle identifies itself, its version & jvm info in user agent, not sure what maven or other consumers do).
Chris Lee
07/03/2024, 1:40 PMThere is also the JetBrains cache-redirector that can be used to avoid a direct dependency on Maven Central (settings.gradle.kts):
Copy code
pluginManagement {
repositories { maven("<https://cache-redirector.jetbrains.com/plugins.gradle.org>") }
}
dependencyResolutionManagement {
repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
repositories { maven("<https://cache-redirector.jetbrains.com/repo1.maven.org/maven2>") }
}2 Views