ant-ivy-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ray Racine <ray.rac...@gmail.com>
Subject Professional Repository - Artifact Verification
Date Wed, 15 Apr 2009 17:16:47 GMT
Trying to understand the Ivy way of setting up
internal/shared/professional/enterprise repositories.

I've looked through the Best Practices, examples etc. and the one thing I
keep looking for is the verification aspect.  Its one of those things "you
know it has to be there somewhere" but I can't find it.  Let's say I want to
create an internal repository and as part of the process verify the jars
using PGP, MD5 or SHA-1 sigs.   Is this something supported by Ivy or are
there other Ant tasks and scripts everyone is using that support this?
Right now the best I can come up with would be something like this.

 - Create a local Stage Repository and populate it from public (Maven et al)
repos via an Ant script with itemized Install tasks for each artifact.
 - Manually obtain sigs or keys from a non-mirror and verify a jar
one-by-one.
 - Use another Ant script to move via an Install task a verified jar into
MyEnterpriseRepo.
 - Then to avoid all this manual work, start building a tedious set of Ant
scripts to fetch KEYS etc via fetch tasks and verify all Stage Repo.
artifacts etc...

What I've been searching for is some settings capability where for each
artifact I can tell Ivy the expect PGP or SHA-1 and avoid the Stage
Repository, in other words, Ivy will refuse to install an artifact info
MyEnterpriseRepo which fails to verify.

How is everyone dealing with the verification aspect??

Thanks,

Ray

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message