maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Baptiste Mathus <bmat...@batmat.net>
Subject Re: Model Version 5.0.0
Date Tue, 25 Mar 2014 08:55:38 GMT
FWIW, I'm aware it's easily feasible to add that checksum validation in a
plugin, but you'll still have to repeat the coordinates.
And that very thing was my point: I don't think having to repeat those
coordinates to add metadata is great.

Not even saying this *must* go in modelVersion 5, I just wanted that debate
to happen at least for future reference if people wonder why maven pom
can't store that dependency metadata (DRY'ly alongside its data, I mean).

Cheers


2014-03-25 6:36 GMT+01:00 Dominik Bartholdi <domi@fortysix.ch>:

>
> For this, there is already an enforcer rule available:
> https://github.com/gary-rowe/BitcoinjEnforcerRules
> Domi
>
> On 24.03.2014, at 20:31, Martijn Dashorst <martijn.dashorst@gmail.com>
> wrote:
>
> > On Mon, Mar 24, 2014 at 8:06 PM, Stephen Connolly <
> > stephen.alan.connolly@gmail.com> wrote:
> >
> >> I see the checksums then as being another potential side artifact... No
> >> need for modelVersion 5.0.0
> >>
> >
> > I see it differently: the checksum validates the GAV coordinates. "I mean
> > 'com.example.foo:foo:1.0', specifically verify that it matches this
> > signature 'sha1:1234567890abcdef'.
> >
> > For example, this enables me to check if a different version of an
> artefact
> > was uploaded to the same GAV than I expected (and reportedly the original
> > author too).
> >
> > A plugin right now could capture them and deploy to repo, and you could
> >> have same plugin verify the resolved dependencies against the same file.
> >>
> >
> > This assumes the whole chain of parties is to be trusted. That nobody
> will
> > try to side-load a version from a different repository.
> >
> > I find the idea of adding a checksum to a dependency interesting. While I
> > don't care for the extra fields in the POM, it opens a better venue of
> > vetting the dependencies.
> >
> > Martijn
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>


-- 
Baptiste <Batmat> MATHUS - http://batmat.net
Sauvez un arbre,
Mangez un castor !

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message