If you know all about Maven skip down to A DNS Record for Maven Repositories

Most people that do software development and/or deployment on environments that run on the JVM (Java Virtual Machine), have come across Apache Maven (or tools such as Apache Ivy that interface with Maven repositories), and know that it is a great tool for managing dependencies for applications. Most Open Source and commercial (or semi-commercial) software packages and modules offer public Maven repositories to get the components (and the right versions of them) automatically downloaded when you are building/assembling your application.

There is also challenges, such as Maven allows you to declare dependencies, and automatically resolve dependencies in third party modules, but what if that particular module is not available in the public Maven repository, where can you find it? You often end up googling for things like “+org.restlet +maven +repository” to find where that particular module is published and downloadable for Maven, and adding that repository either to the build files (for Maven, Ivy etc) or to your maven settings in your home directory.

I think this could be done much more automated, and thus I am proposing an introduction of a DNS record to expose Maven repositories and have Maven (and other tools that use Maven repositories) be able to resolve these repository end-points automatically.

A DNS Record for Maven Repositories

The standard I propose would make it easy for anybody, open source project or commercial software company, to publish a pointer to a Maven Repository (and it can even be fully or partially protected for commercial modules) through a simple DNS entry, and then have Maven automatically resolve that repository.

The whole idea is to allow the owners of an domain to declare a pointer in their DNS that tells Maven where to find the  Maven Repository associated with that domain.

This is an example DNS record of how to declare a Maven Repository (this would be part of the DNS zone file):

@ 3600 IN TXT "maven-repository=https://nicolaiwadstrom.com/maven2/"

Try this for my domain, in a Mac OS X, Linux or Windows terminal/command prompt enter:

nslookup -type=txt nicolaiwadstrom.com

This should give a response as follows:

Server: 172.16.1.1
Address: 172.16.1.1#53
Non-authoritative answer:
nicolaiwadstrom.com text = "maven-repository=https://nicolaiwadstrom.com/maven2/"

This would in the standard I propose here, tell Maven that for all packages with an Maven Group ID (or organization identifier) of “com.nicolaiwadstrom”, the primary repository is located at “https://nicolaiwadstrom.com/maven2/”.

Security

We always reverse the the Maven Group ID (or Organization in other words), we are always asking the authority (owner of that domain/DNS, such as nicolaiwadstrom.com) for the packages that are part of “com.nicolaiwadstrom”.

This do not mean that we fix any existing problems with man-in-the-middle DNS attacks, but we do not introduce additional security issues (as anybody in the middle can spoof any existing Maven repositories, such as the central Maven repository). Existing standards such as DNS Sec should be used to address those concerns.

Extensions

Multiple repositories with priorities. This standard would typically need to support multiple repositories to support fail-over etc. Proposed format for this would be to have multiple DNS entries, and prepend the priority such as:

@ 3600 IN TXT "maven-repository=10;https://maven1.nicolaiwadstrom.com/maven2/"
@ 3600 IN TXT "maven-repository=20;https://maven2.nicolaiwadstrom.com/maven2/"
@ 3600 IN TXT "maven-repository=30;https://maven3.nicolaiwadstrom.com/maven2/"

This would be resolved as 3 different URL’s for this Maven repository, top priority is “https://maven1.nicolaiwadstrom.com/maven2/”, if that can’t be reached (or does not contain the component, or version referenced), “https://maven2.nicolaiwadstrom.com/maven2/” should be tried and finally “https://maven3.nicolaiwadstrom.com/maven2/”. This also allows open source projects that are available in the central Maven repository to point to that as a primary resource, and have lookups fail-over back to their own servers.

 

I read about Richard Stallman’s visit to Sweden and the Royal School of Technology (KTH) this week, and his general bashing of everything not GNU.

I would not call Stallman a communist as some would, he want software to be free and open, and make it possible for individuals to contribute and be protected of license infringement (if he was a communist he would have wanted more control and a strict board to govern which software was to be allowed to be written, and individual choice would not be promoted or allowed…). In terms of licensing Stallman has a totalitarian view that GNU is good enough for everybody and all software.

I would like to see more choices, and it’s good with different Open Source licenses, they serve different purposes for different projects. And in a way even Stallman and the Free Software Foundation has realized this and created LGPL, that is a bit more friendly in terms of how you can use the software as components (with-in software with another license).

And I think this is the flaw in his reasoning; he argues that software patents do not work because software is a complex set of different ideas and concepts. I agree, but software today is so complex that it is also a complex set of ready made components (some commercial, some open source) and custom components put together to form a complete program or service. Almost no software built today is built from scratch, and almost any electronic product today contains software, software is everywhere.

So if I am building a commercial product (let’s say a mobile phone) and there are a number of ready made software components for some of the building blocks available as Open Source, some of them are not exactly what I need, so I need to add some functionality to them.

1) If any of these components have a GNU-type license, I could use them, but would have to distribute the complete source for my Mobile phone software (in one way or another).

2) If any of these components have a Apache-type license, I could modify the components as needed and include them in my product. I would not need to distribute the complete source for my Mobile phone software.

There are a number of compelling reasons not to do 1), and there are some perfectly good business models that could be built around 1), but with 2) I could modify the components and feed that back to the Open Source project and add some value to that.

For Linux the GNU model, 1), works quite well I think. But for minor components I think the Apache style license works a lot better, because it allows me to choose 1 or 2 above, whatever fits my business model, it also means that if my business model and business idea is working out, I can dedicate more resources to the contribute to the community (Open Source) project, which is what you can see with a lot of the small Apache projects (that don’t share the “heavy” foot-print that Linux has in terms of momentum etc), I think many of these small Apache projects would die (slowly but surely) if they were to be GPL licensed. A lot of the GNU licensed smaller projects don’t thrive as the Apache ones do. If I am a small startup with few resources, and early-on before I know which business model really works and how I will actually end up making money, the flexibility can be quite important and in many cases it would make sense for a small startup to open-source my custom/proprietary components with an Apache model, but not with the GPL (in terms of benefits of sharing it).

Now FSF and GNU has realized this and created the LGPL, but GNU would like to forget that, it seems.

Stallman thinks the world could be better by with widespread technology use, me too, I just think that variations, openness and flexibility is what moves things forward and will in the end be the route that creates the most diversity and spread, and I am foremost an Entrepreneur that want to create companies that make money of creating a value for it’s customers.

My punchline: Freedom of choice, and different licenses are good, there should not be just Apache or just GNU, just as there is no “one size fits all” for anything else in our world.