ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <ste...@apache.org>
Subject Re: <libraries>& cache
Date Fri, 03 Dec 2004 15:29:48 GMT



On Fri, 03 Dec 2004 16:01:17 +0100, Stefan Bodewig <bodewig@apache.org>
wrote:
> On Wed, 01 Dec 2004, Steve Loughran <stevel@apache.org> wrote:
> 
> > 1. should we adopt a default repository, and if so, what one? the
> > maven one? which is hooked off user.dir?
> 
> Probably whatever the repository@apache.org list (that I haven't ever
> followed) comes up with.  I have no idea whether it is alive and what
> the result could be - I do know that there was some content on the old
> wiki that needs to get migrated.

its not an active list, really. 

Actually, what I meant to say was "should we have default place on the
local hard disk to store downloaded files", in the maven layout. I know
maven does this, I was just wondering where they did it. 

> 
> > 2. Once you have a repository, you need to extract files from it for
> > use in WAR files, etc. Which means
> > (a) a library policy to create a fileset from the collection
> >
> > (b) <lib> in WAR/EAR must flatten filesets during copy.
> 
> Why?

imagine we store stuff in a central shared repository

<libraries pathid="compile.path" dir="store">
 <library project="tomcat" archive="servlets" version="2.4" />
 <makefileset filesetid="deploy.fileset"
</libraries>

this would download

store/tomcat/servlets-2.4.jar

Now, make the war

<war ... >
 <lib>
  <fileset filesetref="deploy.fileset" />
 </lib>
</war>

I believe this will currently pull in the servlets.jar, but include the
path relative to the base dir of the fileset in the process. Which stops
the jar being found. That is my belief, based on some past bug report. 

> 
> > There was a bug about this filed; did we fix it?
> 
> I can't see a bug, maybe a missing feature.
> 
> > 3. I'm also still worried about security. There is MD5 checking, but
> > I'd also like a policy that uses the new signature checking code to
> > verify that the libs are signed by people you trust. I know the
> > maven repos are not so signed, but we can start.
> 
> +1 to all any any security checks.
> 

Note that once you start signing jars (or to be precise, sealing them),
you cannot load classes into the packages. This why @work we dont keep
tests in the same package as the classes they test (subdirs test/unit
and test/system instead). I dont know what would happen if we signed
ant. I will have to experiment. 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message