geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: no more modules for specs...
Date Sat, 16 Dec 2006 08:40:29 GMT

On Dec 15, 2006, at 11:05 PM, Jason van Zyl wrote:
<big snip>
> Then don't use those repos, or label them as snapshot repos. As far  
> as Geronimo is concerned why do you need anything more then central  
> as a source? Aside from your SNAPSHOT dependencies.
> This will only stop when Archiva is in full effect. The only way to  
> submit anything to central will be via Archiva. Any project who  
> wishes to have the same stability will only take artifacts that  
> have passed through and instance of Archiva. You'll know you're  
> using an instance of Archiva because we'll have a wagon for doing  
> that and it will be configured. It will eventually be the default.  
> It will simply be the Grizzly client and Jetty using the Grizzly  
> connector.

Jason, one thing I'd like to point out here is that to a large extent  
jdillon has been saying "the current state of maven remote repos is  
unreliable" and you are saying, "no, as soon as we get archiva,  
signatures, audit trails, etc etc etc working they will be  
reliable".  That's agreeing with jdillon that the current state of  
maven remote repos is unreliable since they don't have signed  
artifacts and an audit trail (at least).  Just because you wish  
remote repos worked and were reliable does not mean they are today.   
I personally don't think they will be satisfactory until you have a  
revocation procedure in place as well as signing and an audit trail.   
I suspect that making this distributed system reliable is going to be  
much much harder than you imagine: I hope I'm wrong because if it  
works it would be really great.

Another comment I will make is that I am fairly sure there are severe  
bugs in the maven artifact resolution process when snapshots are  
present.  This is because if I remove all org.apache.geronimo.modules  
artifacts from my local repo and build the corresponding part of  
geronimo, if I build online I usually get errors together with  
downloaded timestamped artifacts whereas if I build offline the build  
succeeds.  Note carefully that I am only building geronimo artifacts  
and there is no change whatsoever in non-geronimo artifacts in my  
local repo.  I think nearly every time we've made a change involving  
more than one module since we started using m2 and pushing snapshots  
to the snapshot repo we've had user complaints that the build is  
broken, and the solution always is to build offline.

Your complaints about any already released geronimo artifacts are  
totally irrelevant  unless you want to recommend we move back to m1  
since the 1.2-beta and 2.0-M1 are the first releases we've tried to  
do with m2 (except for specs, which got messed up in various other  
ways but have not been a giant problem until recently).

david jencks

View raw message