maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bernd Eckenfels <>
Subject Maven Central artifacts list
Date Wed, 27 Aug 2014 14:49:33 GMT
Hello Jason,

a somewhat related question. would it be possible to publish a SHAxSUM file of all the artifacts
of the repository? I figured this would be much more efficient than walking any of the repos
to validate local mirrors. It also can be used to detect modifications to released artifacts
without the need of guessing PGP keys.

Maybe the index process already has that information available...



----- Ursprüngliche Nachricht -----
Von: "Jason van Zyl" <>
Gesendet: ‎27.‎08.‎2014 14:11
An: "Maven Developers List" <>
Betreff: [Proposal] New Mirror for Maven Central


As part of our discussions with Sonatype I would like to propose a new location for our agreed
upon 3rd party mirror for Maven Central.

About a year ago a friend of mine, Matt Stephenson, who was at Google (he now works at Square),
asked if there was a way to get a copy of Maven Central for Google to do some analysis and
prototyping. I always have an up-to-date copy of Maven Central and what they wanted to do
sounded interesting and generally useful so I said sure and that I would drop off a drive
for Matt at the SF office. Instead they suggested that I use the new Cloud infrastructure
and setup the mirroring on one of their machines and so we did that. Over the last year I've
worked with Matt and met more people at Google and ultimately they offered to pay for any
of the machines and bandwidth required to house the mirror of Maven Central. Why would Google
pay for this? They have made some developer tools based on the data, they have done their
own security analysis for the protection of their own systems that use Java, and they want
to leverage a near-copy of Maven Central for systems like Google App Engine. The cost of storage
is nominal (40 dollars a month for 2TB) and if the cost of the whole system is less than one
FTE (150-200k/year) it's not even going to register.

I think Google is generally to be thought of as a good OSS partner and they have supported
many programs and efforts for many years. I asked them a few months ago if they would support
the Maven PMC in having a long-term location for a mirror of Maven Central for our purposes
and they liked the idea. It's mutually beneficial.

So I would like to propose that we use this infrastructure for the place for our agreed upon
3rd party mirror location. A few weeks ago I showed this to Hervé to see what he thought
and if it was even a good idea to propose and we both agreed it would be. I relinquished my
admin access to Hervé in the console so, as the Maven PMC Chair,  he can provide access to
anyone who wants to check it out. I believe it would be a great place to do validation and
an easy way for us to provide anyone with copies of Maven Central who wish it.

I think it would be a relatively simple change where we can give Sonatype a key, and then
the push moves content to this new infrastructure.

Matt also setup an experiment to push the content of Maven Central to Google's CDN which has
an HTTPS/S3 interface which you can see here[1]. So the equivalent access to Ibiblio can be
provided by Google. From here we can also manage a push to Ibiblio to maintain consistency.

I encourage folks to get access and take a look around, but I think it's a nice offer from




Jason van Zyl
Founder,  Apache Maven

believe nothing, no matter where you read it,
or who has said it,
not even if i have said it,
unless it agrees with your own reason
and your own common sense.

 -- Buddha

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message