ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <ste...@apache.org>
Subject Re: repository
Date Tue, 26 Oct 2004 22:44:43 GMT
On Tue, 26 Oct 2004 16:14:39 -0400, Russell Gold <russgold@gmail.com>
wrote:
> On Tue, 26 Oct 2004 00:17:06 +0100, Steve Loughran <stevel@apache.org>
wrote:
> >
> > I have just committed a repository task. In theory it will support
> > repositories other than maven, but there is only maven support right
> > now.
> >
> > <getlibraries destDir="${lib.dir}">
> >     <mavenrepository/>
> >     <library archive="commons-logging"
> >         project="commons-logging" version="1.0.1"/>
> > </getlibraries>
> 
> 
> How does this compare with
> <http://www.httpunit.org/doc/dependencies.html>, which has been listed
> on the external tools page for several weeks - a task which, when I
> offered it two months ago, was rejected with the comment that such
> tasks don't belong in ant proper?
> 

I like yours better :)

Seriously, I like how you have done the trick of making the dependency
graph a classpath reference that can be used; very slick. I'd thought of
that, but hadnt put any effort in thinking how to do it.

Also <dependencies> is a better (more declarative) name for what you are
doing. 

One thing that I think could also be included is the ability for every
library/dependency to (optionally) declare a resource or class that must
exist. That way you don't just download things, you can probe to verify
that the files are vaguely correct. 

I must have missed the info on your task; the only one that I knew about
was the Krysalis work, and of course Maven itself. I wrote this up
fairly quickly and stuck it in to provide a focal point for repository
access; this is also why I checked it in before it was working fully.
Now is the time to fix what I have started; we have until Axis1.7 ships
:)

So if you want to merge what I've done with your code, let's go for it.
Same for anyone else who wants to contribute. 

I am particularly worried about security, and would really like to have
the maven checksum verification, with jar signature verification
alongside. What we are going to build is effectively very-very-close to
java webstart, and we don't want to expose too many security risks on
developers' systems. As it stands, a DNS subversion of a major ISP would
let you run malicious code on everyone downstream. 

-Steve

ps, gmail ads are pointing me at the fact that InstallShield can now run
ant during the install phase. We really are everywhere :)




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message