ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ste...@apache.org
Subject svn commit: r383684 - in /ant/core/trunk: fetch.xml lib/libraries.properties
Date Mon, 06 Mar 2006 21:47:44 GMT
Author: stevel
Date: Mon Mar  6 13:47:42 2006
New Revision: 383684

URL: http://svn.apache.org/viewcvs?rev=383684&view=rev
Log:
This bit of complexity verifies the sha1 key of the m2 library against what is in the libraries
file. 

Provided the ant distro is validated, this ensures that the maven library that comes down
is also valid.

Modified:
    ant/core/trunk/fetch.xml
    ant/core/trunk/lib/libraries.properties

Modified: ant/core/trunk/fetch.xml
URL: http://svn.apache.org/viewcvs/ant/core/trunk/fetch.xml?rev=383684&r1=383683&r2=383684&view=diff
==============================================================================
--- ant/core/trunk/fetch.xml (original)
+++ ant/core/trunk/fetch.xml Mon Mar  6 13:47:42 2006
@@ -77,6 +77,7 @@
   
   <target name="probe-m2" depends="pick-dest">
     <!-- Look for M2 ant tasks in our classpath-->
+    <property name="m2.artifact" location="${dest.dir}/${m2.jar.name}"/>
     <available property="m2.antlib.found"
       resource="org/apache/maven/artifact/ant/antlib.xml" />
     <condition property="m2.antlib.typefound">
@@ -85,18 +86,48 @@
   </target>
   
 
-  <target name="get-m2" depends="probe-m2,pick-dest" unless="m2.antlib.found">
+  <target name="download-m2" depends="probe-m2,pick-dest" unless="m2.antlib.found">
     <!-- fetch M2 ant tasks into our repository, if it is not there-->
     <get src="${m2.antlib.url}" 
-      dest="${dest.dir}/${m2.jar.name}" 
+      dest="${m2.artifact}" 
       verbose="true"
       usetimestamp="false"/>
+  </target>
+
+  <target name="dont-validate-m2-checksum" depends="probe-m2"
+          if="m2.antlib.found">
+    <property name="checksum.equal" value="true" />
+  </target>
+
+  <target name="validate-m2-checksum" 
+          depends="download-m2,dont-validate-m2-checksum"
+          if="m2.sha1.checksum" unless="m2.antlib.found">
+    <checksum file="${m2.artifact}"
+        algorithm="SHA"
+        property="${m2.sha1.checksum}" 
+        verifyProperty="checksum.equal"/>
+  </target>
+
+  <target name="checksum-mismatch" depends="validate-m2-checksum" 
+          unless="checksum.equal" if="m2.sha1.checksum">
+    <delete file="${m2.artifact}"/>
+    <fail >
+      Failed to verify the downloaded file ${m2.antlib.url}" against the checksum
+      coded into libraries.properties. 
+      The local copy has been deleted, for security reasons
+    </fail>
+  </target>
+
+  <target name="checksum-match" depends="checksum-mismatch"
+          unless="checksum.equal">
     <fail status="0">
-      The Maven2 JAR has been installed; rerun ant to load it. 
+      The Maven2 JAR has been installed; rerun Ant to load it.
     </fail>
-  </target>  
-  
-  
+  </target>
+
+  <target name="get-m2" depends="checksum-match" 
+      description="Download the Maven2 Ant tasks"/> 
+
   <target name="macros" depends="get-m2"
     xmlns:artifact="antlib:org.apache.maven.artifact.ant">
 

Modified: ant/core/trunk/lib/libraries.properties
URL: http://svn.apache.org/viewcvs/ant/core/trunk/lib/libraries.properties?rev=383684&r1=383683&r2=383684&view=diff
==============================================================================
--- ant/core/trunk/lib/libraries.properties (original)
+++ ant/core/trunk/lib/libraries.properties Mon Mar  6 13:47:42 2006
@@ -1,13 +1,15 @@
 #this file declares the libraries for use in 
 #a given release of the components
 
-m2.version=2.0
+#if you change this, change the checksum to match
+m2.version=2.0.1
 m2.url=http://ibiblio.org/maven2/
 m2.artifact-name=maven-artifact-ant
 m2.jar.name=${m2.artifact-name}-${m2.version}-dep.jar
 #this is the URL of the antlib library, that is pulled down for everything else.
 m2.antlib.url=${m2.url}/org/apache/maven/${m2.artifact-name}/${m2.version}/${m2.jar.name}
-
+#this is the sha1 checksum of the artifact
+m2.sha1.checksum=7240828f1744c1f9f8b158a026ac368a03f536a3
 
 
 #versions of different libraries. Please keep in alphabetical order, except
@@ -23,7 +25,7 @@
 junit.version=3.8.1
 jsch.version=0.1.17
 jython.version=3.8.1
-log4j.version=1.2.12
+log4j.version=1.2.13
 #rhino.version=1.5R5
 oro.version=2.0.8
 regexp.version=1.3



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message