www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Porter <br...@apache.org>
Subject Re: James products, independency from ibiblio and poms referring people.apache.org
Date Wed, 18 Oct 2006 01:27:45 GMT
Sorry for the late response, I've been on holidays. This all sounds  
fine, and your analysis about the issues #1 and #2 are right. To  
solve #1 you could do what you've suggested, by using file:// as  
central, and including all the plugins and their dependencies in there.

I'm going to start looking into a better separation for these.

The other topics could go to the Maven lists.


On 03/10/2006, at 5:31 AM, Stefano Bagnara wrote:

> Hi all,
> I started a thread about maven2 usage for the James products few  
> weeks ago and I received a few suggestions but the thread gone off  
> topic soon.
> So I'm here again with what I did and what I would like to do.
> I created a root pom for our products:
> http://svn.apache.org/repos/asf/james/project/trunk/pom.xml
> The interesting part is that I override "central" with the      
> <repository>
>   <id>central</id>
>   <name>Apache Main M2 Repository</name>
>   <url>http://people.apache.org/repo/m2-ibiblio-rsync-repository</url>
>   <releases><enabled>true</enabled></releases>
>   <snapshots><enabled>true</enabled></snapshots>
> </repository>
> Then in jspf (one of our products) I use that project as parent:
> http://svn.apache.org/repos/asf/james/jspf/trunk/pom.xml
> and I add an "in source tree repository" reference like this one:
> <repository>
>   <id>local-jspf-3rd-party-m1</id>
>   <name>Local jSPF third party repository</name>
>   <url>file://${basedir}/repos/third-party-m1</url>
>   <layout>legacy</layout>
>   <releases><enabled>true</enabled>
>     <checksumPolicy>ignore</checksumPolicy>
>   </releases>
>   <snapshots><enabled>true</enabled>
>     <checksumPolicy>ignore</checksumPolicy>
>   </snapshots>
> </repository>
> And I add every dependency that cannot be found on m2/m1 ibiblio- 
> rsync/snapshot repositories on people.apache.org in the repos/third- 
> party-m1 folder using a legacy m1 structure.
> In the specific case this files:
> repos/third-party-m1/org.jvyaml/jars/jvyaml-0.1.jar
> repos/third-party-m1/dnsjava/jars/dnsjava-2.0.1.jar
> This way the libraries included in my final release will be  
> retrieved only from trusted sources.
> And here are the 2 problems I need to address:
> 1) This way the final pom will have references to people.apache.org/ 
> repos and I think I understood this is not good for ASF policy.
> 2) maven plugins used to build and test the project (and also the  
> ones needed to generate reports and create the website) are still  
> downloaded from ibiblio and fallback to codehaus repositories.
> I could fix the second point by adding ${basedir}/repos/third-party- 
> m1 also as pluginRepository and adding ALL of the used plugins to  
> that folder but I'm not sure this would be so good, but I really  
> don't know how to fix the #1 issue.
> I also would like to find a method to create a source package  
> release where *every* dependency is included in the package and the  
> pom does not include external references: is there an easy way to  
> accomplish this requirement?
> Maybe I should send this mail to a maven mailing list instead of  
> repository.. tell me if this is the case.
> I really think that until we wait for maven to solve every issue  
> related to repository security ASF should introduce a 3rd party  
> repository to be used instead of the file-based "${basedir}/repos"  
> solution. This would temporarily increase our builds reliability  
> even not being the final solution.
> Any critics, hints is welcome ;-)
> Stefano

View raw message