open-source-programs icon indicating copy to clipboard operation
open-source-programs copied to clipboard
verified publisher icon TBD54566975

Determine new groupId for TBD projects on Maven Central

Open ALRubinger opened this issue 2 years ago • 4 comments

Proposal:

website.tbd.oss.*

ie: website.tbd.oss.tbdex, website.tbd.oss.web5, website.tbd.oss.ftl

Reasoning: The thing is, groupIds are designed to give consumers the assurance that they're getting software from the trusted source. That's why there's the reverse-domain convention, ie. com.google.projectName or com.squareup.okhttp . Anyone can reliably plug google.com into their browser and see who's providing this.

Spoke to @leordev a bunch about this today. A lot of this reasoning I credit to him. Here's where I'm at. I think our groupId should map to our hosted properties - namely something under tbd.website. That domain is the front door to TBD.

website.tbd is a weird prefix for a groupId, but I've concluded - that's because it's a weird domain name for us to have. So best to be consistent.

ALRubinger avatar Dec 05 '23 08:12 ALRubinger

Another idea from internal channels: skip oss in the prefix and use tbd.website.projectName.

The more I think on this the more it makes sense to me.

ALRubinger avatar Dec 05 '23 08:12 ALRubinger

website.tbd is a weird prefix for a groupId, but I've concluded - that's because it's a weird domain name for us to have.

i think from the perspective of tbd.website being an actual website, it's not all that weird.

agreed that as a groupid it feels weird

mistermoe avatar Dec 05 '23 08:12 mistermoe

what about using a domain like tbdev.org, tbdevs.org, tbdoss.dev (or really whatever domain makes more sense than tbd.website), and have it redirect to tbd.website? this way we can use org.tbdev.* (or whatever domain) and still achieve:

Anyone can reliably plug google.com into their browser and see who's providing this.

mistermoe avatar Dec 05 '23 08:12 mistermoe

what about using a domain like tbdev.org, tbdevs.org, tbdoss.dev (or really whatever domain makes more sense than tbd.website), and have it redirect to tbd.website?

This breaks the intention of domain verification. Maven Central is designed to map groupIds directly back to their home domains.

Reasoning: This was one of my thoughts too - until we realized:

  • groupIds are domain-verified by Sontatype. You have to be the owner of a domain to publish to its corresponding groupId.
  • And yes - we do own tbddev.org
  • But: if using redirects, that means anyone can publish under Domain A and redirect to Domain B
  • And that breaks the verification chain that the artifacts under Domain A are verified owned by the people behind Domain B

ALRubinger avatar Dec 05 '23 19:12 ALRubinger

Not going to do until renames make this necessary

ALRubinger avatar May 17 '24 18:05 ALRubinger