Andres Almiray with DevOpsSpeakeasy at DevoxxMA 2022

Speakeasy at devops Morocco my name is

Steven Chin I’m the VP of devrel at

jfrog and I’m joined here by Andre

almeray how are you doing Andre I’m

doing perfectly fine now that we’re here

at devops Morocco so thank you for

having me having me again here Steve

yeah no this is this is awesome I can’t

think of a better place for us to be

chatting under the beautiful Moroccan

weather by the seashore which I haven’t

actually made it out to because we’ve

been stuck in this hotel for the past

week yes uh but hopefully we’ll have an

opportunity a little bit later so that

we can continue to enjoy everything that

Morocco has to offer while we’re

chatting about open source Technologies

like Maven and Jay releaser and other

cool stuff yes

tell us a little bit about what’s what’s

new in in all the open source projects

which you’ve been spearheading well so

those that know me or have met me before

know that I have promoted Gradle for a

long long time so nowadays I do I do

promote maybe for one particular reason

I like to know better how to use tools

and turns out that personally I had no

clue how Maven actually works that’s why

I decided to use other tools so I came

back to it and learned how to properly

use a tool and I discovered that it’s so

easy to just not do the right things

correctly and I would like to continue

promoting how to make use of the tool

people know mavenclinstall that’s

probably one of the memes that people

know me uh most recently and the reason

why we use maybe clean install is pretty

much because of account like a cargo

code yeah maybe I didn’t do incremental

builds

so

showing showcasing but but if you if you

use Maven correctly you shouldn’t you

should rarely need to use clean right

that’s precisely the point you should

not necessarily need to use clean all

the time in Booking maybe verify should

give you what you need 100 80 of the

times there are use cases there are

valid use cases for using clean or

install but definitely not all the time

yeah yeah no exactly so that’s cool so

you’re helping you’re helping Java

developers use Maven more effectively

correct because what we want is so that

they are more effective they have a

faster speed they have faster bills

correct bills and reproducible bills

there are many different angles that you

can take on bills but if you know how

the build tool works then you can get to

the place you need to be in a much

better position in a faster okay so

let’s talk about what you just mentioned

so you mentioned reproducible builds and

I think our audience may not know

what a reproducible build is and why

they might care about it so okay can you

explain that yes the idea behind that

reproducible build is that you have set

up your environment your bill

environment in such a way that if you

create an artifact today and then six

months later or some other time later

someone asks you to recreate the same

artifact you’re capable to do so that

means it’s it may be a different uh

build node but you have the same VM the

same uh environmental variables the same

Maven version and the pen is what not so

that you can almost guarantee that bit

by bit there is a binary match within

the artifact that was built before and

the artifact that you just built today

okay now that’s good and like as a let’s

say you’re an open source author and

you’re published packaging and open

source Library why why should you care

about producing a reproducible build

well one of them is security to be sure

that what was built in can be built

again in case that you need to the

binary was not available for whatever

reason you need to provide one that is

exactly the same there are no additional

changes there is no code injection

nothing like that

you can also

attest that the build process is working

as it should no one has changed things

so that that that the again I think the

basic point is no

no malicious code being injected into

the code base nothing that can be

checked there are so many different

attacks that can happen that we have no

clue how they got into just because the

build tool chain was affected in one way

or another cool no that’s exciting and

um so we’ve been talking a lot about

Maven and you know different ways people

can optimize their builds but I think

also you have a you have an open source

project to help people release their

their Java projects or other language

projects more easily yeah so the

Project’s called your release it started

as a Java project and the the main goal

at the time was to release a command

line tool or a desktop tool built with

jfx and uh it’s it’s enough for me as a

developer to Simply say to potential

consumers hey here’s a git repository

and here are the maven instructions to

build it and figure it out and then you

get a binary but that that really is not

that very user friendly it’s is better

if I say look I already have these

binaries packaging away so that you can

consume it more easily such as Homebrew

or a snap graph or Wingate or the

specific platform package manager that

users like like to use so that’s exactly

what the tool does it it it it helps

speed up that release process for all

kind of binaries and then we figure out

what if we extend it to other languages

so if you’re using Elixir rust python

JavaScript all the others you can

continue to use share release as well

cool no that’s exciting and what what

are some of the like new features or

things you’ve been working on and adding

to J releaser recently so uh since the

first release that we posted in April

2021 uh 21 yep

when people saw oh these are released so

can I release jars and pumps to Maven

Central and I said no because that’s

kind of like a

responsibility or your ability of a

choice what is maving Gretel or what

have you uh so we we decided not to do

that then but what is coming in the next

version is that possibility you can

certainly post binaries to many places

artifactory being one of them but it’s

only for generic binaries but what is

coming in next release is the capability

to push jars and pawns just like a

regular Maven release to any maving

compatible repository nice nice so that

that makes so you’re making releasing

easier you’re making pushing your

library to different Central

repositories easier so I think and that

also includes checksuming files and

generating signatures whether it’s pgp

which is what Maven Central accepts or

with project six stores called sign as

well because that’s also coming up uh

you can create install dollars using

ground behind the TV match or j-link or

J package I didn’t mentioned a couple of

package managers there are so many

different options that the tool allows

you to use you don’t have to use them

all just pick those that are specific to

your requirements cool all right that’s

exciting

um and what’s what’s next for you so

you’re you’re at devox Morocco now any

other like events or other stuff you’re

excited about coming yes coming up child

one in a week and we have a handful

events also locally in Basel and uh yes

we are still continue to spread the word

about open source about different

Technologies and the things that we’d

like to work on cool all right thanks so

much for this interview at the devops

speaky uh devops Speak Easy at devops

Morocco and looking forward to hacking

with you during the speaker trip thank

you so much Steve