New binary artifact management tool
github.comTo replace Artifactory, Nexus, etc (as claimed at the start of the readme) authentication is an important component.
Right now Artipie appears to support credentials stored in a flat file, or integration with GitHub. There’s an open issue[0] that makes it sound like LDAP integration is in progress, but the only comment of substance is “you should donate to make this happen faster.”
That’s somewhat unfortunate, because it’d be nice to have some idea of the current progress on the issue beforehand.
General observation, not necessarily related to this project:
It's rather unfortunate that federated identity is always an afterthought instead of the default. Every new project could have been using OpenID Connect instead of rolling their own authentication. I really wish web frameworks pushed for this.
I suppose some of the blame lies with the identity providers. So many of them use a custom OAuth protocol instead of OIDC, which shifts the burden to the developers. Adding a new IdP should be as simple as adding a new trusted URL, instead it's often integrating a new SDK.
For this purpose, I'd strongly prefer LDAP over OIDC.
The reason being, companies that have a need for something like this are much more likely to be set up with their own LDAP server than with their own OIDC provider. I'm guessing the next most useful one might (still) be SAML, and then OIDC would be the cherry on top.
I think OIDC should be the default authentication for services like this. It is the newest, and simplest, of the three. Any sort of integration with existing SAML or LDAP can be done via a bridge. Keycloak supports this, I believe.
Indeed OIDC is the standard nowadays and for the future years.
Active Directory has OIDC support since version 2016 (and SAML since earlier), which makes it the de facto supported protocol in companies.
SAML is rightfully losing adoption because it's way more difficult to use. LDAP is moot for a variety of reasons, though it's still used by some internal services.
LDAP pins you down to a username+password flow and requires you to handle that password. Would much rather see authentication flows that are ready for WebAuthN, etc. by default.
100% agreed there. I'm just thinking, you generally get more value out of building for the world you live in than out of building for the world you wish you lived in.
If you visit the issue I linked you’ll see they crossed out SAML support with the note “won't be implemented, since repository authentication mechanisms doesn't support these providers”
It is a worthy effort but I really need to be able to plug in my own auth options, as per stuff like Dovecot.
What are people's thoughts about using GitHub/Bitbucket/Etc's git LFS feature that's coming online for everyone?
You can stash just about any binary, versioned, and control if it appears in your repo or just a little pointer file.
What's the point of that? You can't fully resurrect all artifacts ever or you'll waste a day downloading until you run out of disk space, so all you get is the pointer files. At which point you could just as well store a the hash of something in an object store, without LFS.
It says both:
| It can host the data in the file system, Amazon S3, Google Cloud, HuaweiCloud OBS etc.
and
| For now, we support two storage types: file system and S3 storages.
Along with lack of LDAP or federated login, it doesn't seem ready to try or recommend yet.
Can't the storage thing be explained by other cloud providers having storage solutions that are compatible with Amazon S3 API?
I don't think Google Cloud Storage is S3 compatible in any meaningful way
Whether this is meaningful or not is subjective, but:
Keep it up! There's is definitely room for challenging the incumbents. Besides authentication I'm looking for Maven mirror functionality and vulnerability scanning in an enterprise setting.
Versioning is mentioned in passing as a design requirement, but not mentioned further on - how does versioning work in a system like this?
The repositories it hosts have versioning baked into them.
I wonder if "Java code is extraordinary high" can be the moat for a company.
You made me grep for that in the OP.
They are claiming "quality of Java code is extraordinary high". It is not even merely "good": Here is looking at you, dear misnamed and all over the place "Slice" flavors.
I wrote something dumb that downloads large files. The idea was to check the index file into a git repository.
https://gist.github.com/HalCanary/9abb045bf047da118c2467266b...