ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <stev...@iseran.com>
Subject Re: auto download of antlibs
Date Mon, 09 Feb 2004 10:54:33 GMT
Costin Manolache wrote:
> Steve Loughran wrote:
> 
>>
>> OK, now that Ant1.6 has antlibs, it is time to think of the next step: 
>> auto download of antlibs and (perhaps) dependencies.
>>
>> 1. Possible requirements
>>
>> -allow users to specify the URLs of dependent antlibs
>> -allow teams to provide an override point that specifies their location
>> -secure download -only files from trusted sources are fetched.
> 
> 
> Signed jars ?

that was roughly my thought. But then you need a signature trust model 
with certificate handling and the like, security panics, etc etc. Having 
a simpler 'no security at all' option is more brutally honest and a lot 
easier :)

But security is a big issue for behind the firewall stuff. I am setting 
up cruisecontrol to run against the work project we are doing 
(smartfrog.org), whose CVS repository is sourceforge. So now I have to 
worry about how to download and run arbitrary source from sforge, 
without giving that code arbitrary access to behind the firewall systems 
(you know, the ones with all the SysV source, in case some malicious 
build file secretly starts copying lines from sysv into the linux-64 
repository). I am going to have to resort to hardware (dedicated box 
outside the wall) or software -a vmware configuration, maybe with 
something emulating a router that only routes outside both our class A 
subnets. (yes, *both* class A subnets :)

> 
>> -caching of downloads, global or per-user
>> -go through proxies
>> -allow antlib providers to move their files (handle redirects)
> 
> 
> Is this really needed ?

Maybe not at first. But 302 redirs are very useful over time.


> 
> 
>> -allow antlib providers to mirror, by having a mirror file that lists 
>> possible sources
> 
> 
> I would add: support for sourceforge-like mirrors and "click" repositories.
> 
>> -support private repositories (intranet/internet, https, 
>> authenticated) as well as public sources
>> -make it easy to publish an antlib, and register it in the ant central 
>> list
> 
> 
> And if possible, a single central list :-)

no, too much maintenance :)

> 
> 
> 
>>
>> Anything else?
> 
> 
> - support for multiple repository types ? It would be really nice if the 
> tool would be able to fetch RPM/APT dependencies ( from jpackage or a 
> similar repo ), as well as maven and other descriptors.

aah, too many features!

> 
>>
>> 2. What things implement this? What do Maven and Ruper do?
>>
>>
>> 3. do we want to integrate this with ant, or have some more standalone 
>> tool that can be used to keep a component repository up to date, a 
>> tool with an ant task for use in a build file. A sort of apt-get for 
>> apache stuff...
> 
> 
> I think having this bundled/integrated with ant would be an excelent idea !

I am looking at ruper. I like the GUI too -and I like the ability to say 
   you want to subscribe to, say junit and xalan & have bits of your 
system kept up to date. (of course, unlike the rpm tools it is not the 
JRE we are maintaining, just individual projects or users)


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message