ant-ivy-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antoine Levy-Lambert <anto...@gmx.de>
Subject Re: Professional Repository - Artifact Verification
Date Fri, 17 Apr 2009 07:18:22 GMT
Hello Ray,

Ray Racine wrote:
> Trying to understand the Ivy way of setting up
> internal/shared/professional/enterprise repositories.
>
> I've looked through the Best Practices, examples etc. and the one thing I
> keep looking for is the verification aspect.  Its one of those things "you
> know it has to be there somewhere" but I can't find it.  Let's say I want to
> create an internal repository and as part of the process verify the jars
> using PGP, MD5 or SHA-1 sigs.   Is this something supported by Ivy or are
> there other Ant tasks and scripts everyone is using that support this?
> Right now the best I can come up with would be something like this.
>
>  - Create a local Stage Repository and populate it from public (Maven et al)
> repos via an Ant script with itemized Install tasks for each artifact.
>  - Manually obtain sigs or keys from a non-mirror and verify a jar
> one-by-one.
>  - Use another Ant script to move via an Install task a verified jar into
> MyEnterpriseRepo.
>  - Then to avoid all this manual work, start building a tedious set of Ant
> scripts to fetch KEYS etc via fetch tasks and verify all Stage Repo.
> artifacts etc...
>
> What I've been searching for is some settings capability where for each
> artifact I can tell Ivy the expect PGP or SHA-1 and avoid the Stage
> Repository, in other words, Ivy will refuse to install an artifact info
> MyEnterpriseRepo which fails to verify.
>
> How is everyone dealing with the verification aspect??
>
>   
I am dealing with the verification aspect manually.
Creating the ivy.xml files for the various third party jars used by a
project is also a time consuming task.

Regards,

Antoine

> Thanks,
>
> Ray
>
>   


Mime
View raw message