www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim O'Brien" <tobr...@discursive.com>
Subject RE: Maven and repository@apache.org
Date Wed, 05 Jan 2005 14:27:16 GMT
What about having an XML description of the contents of a repository?  

Such a description could serve multiple purposes, it could be used to
enumerate known mirrors, it could be used to segment the "namespace" -
say we reach some agreement with Sun and all sun artifacts fall into a
namespace of sun-* and must be redirected to a Sun server, etc.  This
XML file could be used by tools that want to provide a list of every
possible artifact.

What if every Maven repository knew of every other Maven repository
because they all shared a common resolution.xml file (think /etc/hosts
before the existence of DNS - hackish but it worked).  

> -----Original Message-----
> From: Brett Porter [mailto:brett.porter@gmail.com] 
> Sent: Wednesday, January 05, 2005 6:43 AM
> To: repository@apache.org; Steve Loughran
> Subject: Re: Maven and repository@apache.org
> > I'll be the Ant rep.
> Great, thanks.
> > I am co-author of the (still stabilising) Ant <libraries> task; it'd
> yeah, I've got to 50 mail threads sitting flagged in gmail to 
> read one day, as this is about the extent of what I know 
> about it :) (after you introduced it to repository@ last year)
> > 1. security. this could be with MD5 checksums, or it could be with 
> > signed JARs.
> MD5's aren't going to do much for security - they're mainly 
> for download integrity. checking and publishing ASC files is 
> a definite want I have, and that can be ramped up to the 
> level of security you need (there are obviously varying 
> levels of trust of the files and the KEYS themselves).
> > JAR signing needs retrofitting to existing files, but has the 
> > advantage that JVMs integrate with it and you can do other tricks 
> > (like put http://ibiblio.org.../artifact.jar on the classpath with 
> > security turned on)
> That I haven't looked into, but would also be a good, but 
> optional feature. I think this is more of a build feature 
> than a repository feature? In fact, I'm sure we already do 
> this for JNLP.
> > 2. licenses. not just auto-download of .LICENSE files, but ideally 
> > some way to do click-through that even Sun are happy with.
> Yeah, there's a low hundreds JIRA entry for that (ie OLD :) I 
> think even that wouldn't fly with Sun IIRC but it doesn't hurt to ask.
> Should be easy to add hooks and allow a user to say "never 
> ask again for this license" to always accept ASL or 
> something, but still report the license on download.
> Good ideas and reminders - keep them coming, and I'll put all 
> this together on the wiki tomorrow-ish.
> Thanks,
> Brett

View raw message