maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephen Connolly <stephen.alan.conno...@gmail.com>
Subject Re: Model Version 5.0.0
Date Tue, 25 Mar 2014 10:19:53 GMT
Nahh.. you misinterpret what I am saying (probably a fault of my
communication)... when it is not a day I have taken as vacation time I will
explain in more detail


On 25 March 2014 08:55, Baptiste Mathus <bmathus@batmat.net> wrote:

> FWIW, I'm aware it's easily feasible to add that checksum validation in a
> plugin, but you'll still have to repeat the coordinates.
> And that very thing was my point: I don't think having to repeat those
> coordinates to add metadata is great.
>
> Not even saying this *must* go in modelVersion 5, I just wanted that debate
> to happen at least for future reference if people wonder why maven pom
> can't store that dependency metadata (DRY'ly alongside its data, I mean).
>
> Cheers
>
>
> 2014-03-25 6:36 GMT+01:00 Dominik Bartholdi <domi@fortysix.ch>:
>
> >
> > For this, there is already an enforcer rule available:
> > https://github.com/gary-rowe/BitcoinjEnforcerRules
> > Domi
> >
> > On 24.03.2014, at 20:31, Martijn Dashorst <martijn.dashorst@gmail.com>
> > wrote:
> >
> > > On Mon, Mar 24, 2014 at 8:06 PM, Stephen Connolly <
> > > stephen.alan.connolly@gmail.com> wrote:
> > >
> > >> I see the checksums then as being another potential side artifact...
> No
> > >> need for modelVersion 5.0.0
> > >>
> > >
> > > I see it differently: the checksum validates the GAV coordinates. "I
> mean
> > > 'com.example.foo:foo:1.0', specifically verify that it matches this
> > > signature 'sha1:1234567890abcdef'.
> > >
> > > For example, this enables me to check if a different version of an
> > artefact
> > > was uploaded to the same GAV than I expected (and reportedly the
> original
> > > author too).
> > >
> > > A plugin right now could capture them and deploy to repo, and you could
> > >> have same plugin verify the resolved dependencies against the same
> file.
> > >>
> > >
> > > This assumes the whole chain of parties is to be trusted. That nobody
> > will
> > > try to side-load a version from a different repository.
> > >
> > > I find the idea of adding a checksum to a dependency interesting.
> While I
> > > don't care for the extra fields in the POM, it opens a better venue of
> > > vetting the dependencies.
> > >
> > > Martijn
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > For additional commands, e-mail: dev-help@maven.apache.org
> >
> >
>
>
> --
> Baptiste <Batmat> MATHUS - http://batmat.net
> Sauvez un arbre,
> Mangez un castor !
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message