Return-Path: Delivered-To: apmail-cocoon-dev-archive@www.apache.org Received: (qmail 84267 invoked from network); 28 Apr 2005 07:36:01 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 28 Apr 2005 07:36:01 -0000 Received: (qmail 42257 invoked by uid 500); 28 Apr 2005 07:36:57 -0000 Delivered-To: apmail-cocoon-dev-archive@cocoon.apache.org Received: (qmail 42186 invoked by uid 500); 28 Apr 2005 07:36:56 -0000 Mailing-List: contact dev-help@cocoon.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@cocoon.apache.org Delivered-To: mailing list dev@cocoon.apache.org Delivered-To: moderator for dev@cocoon.apache.org Received: (qmail 82019 invoked by uid 99); 28 Apr 2005 07:04:35 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (hermes.apache.org: local policy) Message-ID: <42708AB6.8040000@apache.org> Date: Thu, 28 Apr 2005 17:03:18 +1000 From: Brett Porter User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: crossley@apache.org CC: dev@cocoon.apache.org Subject: Re: [PROPOSAL] Download of jars with Maven ant tasks X-Enigmail-Version: 0.91.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, (please CC me on a response to this, or it might be another week before I check back :) Nicola earlier pointed me at this thread, and I thought I'd just reassure you on a point... > How do artifacts get into the remote Maven respository > and how are they guaranteed to be the legitimate file? For ASF artifacts, the copy on ibiblio is identical to http://www.apache.org/dist/java-repository/ as we rsync it from there (for the Maven2 repository, we do some processing of the metadata, but the original JAR remains intact). We retain logs on what happens here, and have some additional monitoring, so I'm confident what is on Ibiblio and its mirrors is the same as what is on the ASF hardware. It would be good to make use of the ASF's own mirrors (we can't point people at www.apache.org directly, of course), but we have more work to do there yet before that would be possible. We have similar arrangements with other projects: open symphony, mortbay, osjava to name some. The rest are done manually, but are checked by humans. If this isn't strong enough, as Nicola mentioned, you are welcome to set up your own repository - its very easy to use it instead of, or in addition to, ibiblio. The hardest bit is going to be populating it - in plarticular the required metadata, but you can certainly copy that from ibiblio and give it a once over. Steve Loughran had the idea of hardcoding the sha1 of the artifact into your build file so that as long as you can get the original and trust it, you're protected from future compromise. This isn't flawless, and is probably somewhat tedious for general use... but if you are interested that could be added to at least the first level of dependencies. Anyway, I'm glad to hear you're considering using our ant tasks - if there is anything we can do to help out, please drop us a line at dev@maven. Cheers, Brett -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Cygwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCcIq2Ob5RoQhMkRMRAh7CAKCV0NMVdDMjrBollIQzMerQS0wnfwCcD3Sc aFOcPOJdApTUGiPLAYo4psA= =wlZY -----END PGP SIGNATURE-----