The Library For Nexus Isn 39;t Installed Fix

[Lirim Collard]

Nowthere is one situation where downloading a pre-compiled binary is enough: when using the package manager of your system.All the libraries are built with one compiler and one standard library under one system so they can all work together.I really wish I could just delegate package management to the OS and simply state that you should install version X of library Y,but not everyone is using ArchLinux or a similar Linux distribution which has the current version of everything as package.

CMake provides the find_package() function to look for a package installed on your computer.A package is basically a CMake file that setups a target that you can use just as if it was defined in your CMakeLists.txt itself.For a target that is properly setup, all you need should be something like that:

But when a user clones it, the submodule will not be cloned (by default).It will be cloned once the users issues a git submodule update --init -- external/foo (with the example above).And this can be leveraged inside CMake:

At last a convenience target is created as described in step 0.Note that we need the generator expressions when we set the include directories:When building the library the headers are in $FOO_INCLUDE_DIR,but once it is installed the headers are at the install destination.

first: a bit of background - I run a team of DB devs, I have a degree in software engineering, I can use python very effectively and have done in several organisations (of similar size and larger). I've just hired a data scientist do some analytical work in my team, they primarily use Python as their scripting language, they start in 4 weeks.

I got IT to install Python (& Anaconda) through visual studio (our IDE for other bits) onto my machine, I tried to pip install a library to warm myself back up and make sure the environment would be suitable for the new hire. Company have blocked the SSL. After asking to unblock the SSL they come back with (effectively);

I assume that you are in a highly regulated environment of some sort as I have never encountered this level of bureaucracy and I worked in both banking and government where we handled financial information. However, what they did in banking to allow us to do this was to sandbox our team away from infrastructure. We had a different wireless network, a different set of credentials, and a different set of computers for development. Everything was the same except that we didn't have direct access to customer data from the development machines or any other kind of infrastructure.

IT tried to implement this pre-approval requirement for libraries in my government job. Obviously, that did not fly and the security people in IT couldn't code anyway. What ended up happening was that admin privileges were given to the developers specifically so they could install whatever they needed and override the whitelist. They just more heavily locked down everyone else.

I can see at least two issues that you need to address specifically. One, using open-source code can cause your work products to become open source. It all depends on their respective licenses. Do your research and be able to prove to legal that what you are downloading does not do this. Don't assume legal and IT know, or will drop everything and figure out for you ASAP. Two, software often has separate paid license categories for corporate users. If you circumvent that by downloading something and just ticking the "personal use" box, the company can get served a notice or be sued. Be prepared to prove that this is not the case for your software.

After you are prepared, escalate this through the normal chain: your boss, division head, etc. Such alignment will go further in changing your company's procedures or granting you elevated permissions.

I would focus on this bit. Asking for the freedom to pip install any library you want with no oversight will likely be a non-starter but you should be able to make a case for streamlining the approval process. Explain why it's important that the new hire has access to these tools and how not having them is costing the company money. Checking the license and screening for malware shouldn't take more than a few minutes so it should just be a matter of putting pressure on the relevant parties to make it a top priority.

In my experience (in over a decade contracting in banks and government departments), the trick is to find other developers in your organization and find out as much as you can about their workflow and the level of access they've been granted.

If you can prove that whatever you want is functionally equivalent to what someone else already has then your request is much more likely to be granted, on the grounds that it already has been granted to someone (presumably) equally responsible.

If that fails then your best bet is to offer to use and enforce security precautions that are essentially paranoid. Think about what your workflow would be like if you were designing missile guidance systems and work from there. This is actually how the popular lightweight database system SQLite came about, when a contractor for the US Navy couldn't get permission to install a "proper" RDBMS. Depends on your circumstances, but maybe you can use VMs for everything, or a super-secure dev box, or even AWS Workspaces (if you don't need to work with anything confidential)

This "Plan B" will be uncomfortable and inconvenient for you, but the goal is to demonstrate a genuine business need for the tools you want to use. Once you've demonstrated the value of what you're able to create, it'll be relatively easy to show how you could do even better if you were able to work without both hands figuratively tied behind your back, and why specific restrictions are unnecessary.

And even if that fails, over time you will get better at finding creative workarounds for seemingly unnecessary restrictions, and you'll learn more about what you really need to get the job done. I have had so much practice configuring SSH port-forwarding and working around issues with non-standard installations of miscellaneous tools that junior devs think I'm basically a wizard now. Good luck!

The IT department that you are portraying as clueless is actually correct, and you are the one who is (excuse my harshness) clueless. You can't just download a runnable computer program from the web without thoroughly vetting it because it could contain malware that could destroy or greatly damage your company.

As correctly stated by @MichaelMcFarlane, uncontrolled use of open source dependencies can lead to licensing issues where you company could be sued to reveal the source code to their expensive projects.

But smaller, mostly-unknown projects will just go under the radars, exactly like a pedestrian crossing the street on red light in a mostly-desert downtown intersection at off-peek time. I have witnessed many.

Never pull open source dependencies too easily "just because they are free". Request review from software architect or IT department, motivate your request to pull certain software. Make sure that the process does not become too bureaucratic, otherwise report constructively to IT.

Don't call that opinion, because it's not their opinion, it's their security policy. And you're not going to change that policy, because it was established on the higher level.

So they key is, to plan in advance. Do not wait until you start implementing things to find out that you need some dependencies. Try to find everything out before starting the project. And you'll learn to minimize the number of the libraries you use.

As others have noted, it is not unreasonable especially for large, conservative, and regulated companies to be cautious of security and/or licensing risks with third-party code and to want to have some process in place to manage that. What is unreasonable is to do it in a way that entirely destroys productivity by requiring a lengthy process where IT must download any package indvidually.

In comments, you noted that you "just lost two staff, one reason quoted was the restrictive IT." This gives you a business case for addressing the problem; the cost and lost productivity of replacing these employees is significant and will likely be repeated if things aren't changed.

It may help to assemble a list of specific examples, addressing both things like recruiting cost caused by departing employees and the delays caused by this process (e.g. "the VP of Finance requested we produce an XYZ analysis. We could have had it ready within 24 hours, but obtaining permission to download the library needed to parse Excel files took two weeks, which meant the VP didn't have the analysis for the board meeting"). Finding out, as Andy suggests, how other teams have managed to handle this will also be valuable information.

But many companies with these policies do not simply rely on a manual "IT will download all packages" policy, because they understand that's not a productive working environment. Large tech companies have custom in-house repositories of third party code (see, for example, Google's processes around the management of third-party Python packages). This means that most common packages are simply already available for corporate use and can be used by everyone immediately, and there's a clear process with ready-made tools for developers to import new ones from Github and PyPI and have those additions reviewed quickly.

There are tools like Sonatype's products that can manage this process so that the company can have visibility and control into its third-party dependencies while maintaining productivity and compatibility with package managers, CI pipelines, and other development tools. I would see if the company is willing to invest in a company-wide effort to manage third-party code to actually address this problem.

If your company is imposing these restrictions yet is unwilling to implement a real package management solution, they're shooting themselves in the foot, not only because of the loss of productivity, but because "IT will manually download approved packages" means there's no process in place to keep track of dependencies (IT is surely not manually reviewing and tracking updates for the hundreds of dependencies that may come with a Node project) and ensure vulnerable packages are patched.

3a8082e126