Currently, the amazon_kclpy package performs mandatory JAR downloads during pip install, which causes several challenges in enterprise environments:
-
Security Compliance:
pip install fails when internal Nexus or Artifactory repositories flag known CVEs in the default JAR versions.
-
Flexible Dependency Management:
Enterprise teams need the ability to manage and package approved JAR versions separately to meet internal security policies and control upgrades independently.
-
Installation Performance:
Mandatory downloads increase pip install time, even in cases where the JARs are already packaged or retrieved via internal build pipelines.
Proposed Improvement:
Introduce options to skip JAR downloads and make them available via:
- An optional environment variable KCL_SKIP_JAR_DOWNLOAD=1/true to bypass JAR fetching automatically during installation
This would:
- Allow clean separation of Python packaging and Java dependencies.
- Enable enterprises to pre-stage and control JAR dependencies.
- Reduce installation errors and improve reproducibility.
- Improve install performance in CI/CD pipelines.
Currently, the amazon_kclpy package performs mandatory JAR downloads during pip install, which causes several challenges in enterprise environments:
Security Compliance:
pip install fails when internal Nexus or Artifactory repositories flag known CVEs in the default JAR versions.
Flexible Dependency Management:
Enterprise teams need the ability to manage and package approved JAR versions separately to meet internal security policies and control upgrades independently.
Installation Performance:
Mandatory downloads increase pip install time, even in cases where the JARs are already packaged or retrieved via internal build pipelines.
Proposed Improvement:
Introduce options to skip JAR downloads and make them available via:
This would: