Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Disabling self-update for vendor installs #500
Currently packaging boot to be installed via vendor tooling, which gives sysadmin people better peace of mind than a blind
Presently doing this via simply provisioning a custom version of
However, in such situation its desirable to disable self-update mechanics.
Obviously this can be bodged in via re-writing args passing from scratch in the bash wrapper, and then bailing when somebody tries to upgrade, but I figured it might be better to suggest some kind of first-class support for this.
I suspect a JVM Option like
@kentfredric You can install
I don't see how disabling self-update would make anything more secure, can you please explain a little more?
Boot contains the update logic to make it feasible to pin a project to a specific version of boot in the
It should be said that this is something that is seen as undesirable from a vendor/sysadmin standpoint and that we're trying to limit how much of this happens.
Obviously maven is a complex beast and its not feasible to eliminate this entirely at present.
But in that vein I didn't use your upstream version of boot.sh ( which I incidentally had trouble working out where you actually stored that in github, because it was invisible in every source tree and was not listed on any release page ), and instead booted into a copy of
The alternative with the self-contained binary shell script hybrid was just not something I felt comfortable releasing into our systems.
But as such, the above I believe means we've made boot itself unupgradeable, due to hard-wiring the jar itself ( I don't know if the embedded jar in the .sh and the
However, I now realise this may be undesirable for developers who need specific versions of boot in their runtime, so I may have to think of a different strategy.
To help understand my motives, it should also be said that in the ultra-long-term we desire to be able to build as much from source as possible, and we also want a way to subvert the "download things from maven automatically", because Gentoo is a source based distribution, and people prefer to build things from their sources where possible a lot of the time.
This is clearly not going to happen in the next month, or the next year, but one thing I'd hope to see eventually is being able to invoke
Because the end result is of course we want to be able to ship java/clojure based applications, where the users don't have to know how the Java ecosystem works to "just use" these applications, and
But yeah, all very very long term goals, so I'm not panicking if we have to make short term compromises :)
I would very much welcome something like this in order to be able to use boot for building packages in NixOS. Nix package builds are run by an unprivileged user with no network access and no write permission in their home directory: initially it looked like boot's
(The current packaging of boot in NixOS is, as far as I can determine, not adequate for this use case)