www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Porter <brett.por...@gmail.com>
Subject Re: Maven repository policies
Date Fri, 29 Jul 2005 02:34:49 GMT
On 7/27/05, Phil Steitz <phil@steitz.com> wrote:
> > Some specific policies:
> I would strengthen this to say explicitly that only *released* artifacts
> can be in /dist/ and that we enforce the policy (ideally in an automated
> way) that what gets put there corresponds *exactly* to what was released.

+1

> I don't know enough about maven repository management to understand
> fully the implications of this, but it seems to me that leaving
> "jakarta" out of the name adds flexibility with no loss of specificity.
>   So, if one day commons is a TLP, we do not have to rename.  It seems
> more natural to me to mirror the package names, but again I don't claim
> to understand all of the issues here.

I was following the SVN structure, but I'm fine with it either way.
Releases stay where they are whether the project renames in later
versions or not (though you can move a release and leave a repository
pointer in the old position too).

Given that all the Jakarta projects are using org.apache.foo as their
Java package, and have eyes on being promoted to TLP one day, I'm
happy with matching the groupId to the package (its shorter, too :)

Groups can get deeper too if necessary. Eg, we have o.a.m.plugins as a
group. If a particular commons project intends to produce multiple
jars (jelly), I think o.a.commons.jelly should be a group.

This can get confusing when browsing the structure, I guess, but I
think we have every intention of setting up a proper search and
browsing capability at some point.

> > 5) all files must have an .md5 and .sha1 checksum. Maven deploys these
> > automatically, and I believe this is already monitored by a script which
> > we could crack down on violations of in the new repo.

> Out of curiousity, why both?  Does maven now generate both?

Yes. I'm happy to just do one or the other - but I get the feeling
that sha1 was a better choice, but that some tools might only be using
the md5.

> > 6) all files in the /dist/ repository must have a .asc signature. We
> > will need to get this automated by the final release of Maven 2.

> What about KEYS?

Yes, standard distribution rules. I'm not sure if we need that in the
repo or just a URL from /dist/ at large - will see what comes of
commons-openpgp.

> Ambivalent on this one - I don't see a compelling reason to separate
> archived releases in the repository.  

Just to ease the mirroring burden and to make the latest releases repo
more browsable.

> Is there an official apache
> archive policy? Maybe I am missing something.

I think for /dist/ proper you only retain the last release or two, and
everything is automatically in archive.apache.org.

Cheers,
Brett

Mime
View raw message