commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Kitching <>
Subject Re: [all][proposal] Add jar checksums to binary release distributions
Date Wed, 27 Jul 2005 02:48:31 GMT
On Tue, 2005-07-26 at 08:18 -0700, Phil Steitz wrote:
> The [cli] jar issue and other recent discussions on repository@ make
> me think that it would be a good idea to start including md5 and/or
> sha-1 checksums for release jars in the release distribution tarballs.
>  While it might be overkill to do so, we might even consider
> referencing the checksums in release [VOTE] threads.  It should not be
> hard to add this to the maven dist plugin for maven builds.  Thoughts?

I don't see how this helps. The full distribution tarballs have a
checksum and a signature, so anyone who downloads and checks a
distribution can be sure that all the jar files inside it are as
expected. What would adding separate checksums for the jar files do?

If someone does want to know whether the maven repo is correct, they can
download the full distribution, check it, unbundle it then do a binary
comparison between the jar in that distro and the one in maven - or
generate checksums and compare them at that time.

Am I right in thinking that "maven jar:deploy" will push a jar out to
the maven repo? If so, that is probably the cause of the problem; it
would be too easy for a maven novice to accidentally run that command.

The easiest fix for all this is to adopt a small procedural change:
ensure that the <currentVersion> tag *always* has a -dev or -snapshot or
-rc suffix except in a subversion tag dir which has passed the final 
release vote.

A nice maven change to help with this issue might be to report an error
for all deploy commands where currentVersion is not -dev, -snapshot or
-rc unless the user passes -Dyes_this_is_a_real_release or somesuch on
the commandline.



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message