www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brett Porter" <brett.por...@gmail.com>
Subject Fwd: Maven repository policies
Date Wed, 01 Mar 2006 06:08:51 GMT
Henk's mail to me in December that I promised to send to the list.

---------- Forwarded message ----------
From: Henk P. Penning <henkp@cs.uu.nl>
Date: Dec 28, 2005 10:58 PM
Subject: Re: Maven repository policies
To: Brett Porter <brett.porter@gmail.com>


On Wed, 28 Dec 2005, Brett Porter wrote:

> Date: Wed, 28 Dec 2005 10:58:29 +1100
> From: Brett Porter <brett.porter@gmail.com>
> To: Henk P. Penning <henkp@apache.org>
> Subject: Re: Maven repository policies
>
> On 12/27/05, Henk P. Penning <henkp@apache.org> wrote:
> >   I noticed that the first artifacts are appearing in 'maven-repository'.
> >   The stuff isn't signed, and I don't see a 'deployment/cleanup hook' ;
> >   Am I missing something ?
>
> I will chase them up. I told them they had to sign them manually, and
> it hasn't happened.
>
> I think we might need to rethink whether this belongs in /dist/ if it
> needs to be cleaned up. The repository is meant to house historical
> versions so that builds remain reproducible. Maybe the better
> alternative is to move them directly to archive.apache.org, or move
> them to a completely separate web server so that there is only one
> copy, and the mirroring is all done through Maven's repository system
> rather than the Apache mirror system. Thoughts?

Brett,

  this is a good time for 'rethinks' :-). Lets summarize :

  -- all apache.org software must be signed. Ideally, for legal
     reasons, every piece of software should be accompanied by
     a reference to a pmc's decision to publish ; for instance
     a reference to some mail in the public mail list archive.

  -- 'dist/' must be kept clean because of bandwidth costs for
     the rsync roots and mirrors, and user convenience.

  -- production stuff (stuff needed for (one time) installation
     of software) must be in 'dist/', that is, on the mirrors.

  -- The ASF has no infrastructure to support applications that
     do some form of 'build', every time they run.

  Is it correct that, currently, 'ibiblio' is the only 'user'
  of the repository, in the sense that no 'clients' use the
  apache.org repo ? Is that what you ean by "mirroring is all
  done through Maven's repository system".

  Because the 'java-repository' model of software devellopment and
  distribution is quite unlike that of 'projects'. Any change requires
  approval of the mirror team (apmirror@a.o), infrastructure and
  eventually the board.

  If my summary above is correct, removing the repo's from dist
  would be a good idea, provided that stuff is signed and the
  new repo isn't a 'sigle resource' for maven clients.

  Putting stuff directly is 'archive' is not a good idea, imho.
  It is an archive of '/dist/', and that shouldn't change.

> Brett

  Regards,

  Henk Penning

----------------------------------------------------------------   _
Henk P. Penning, Computer Systems Group       R Uithof CGN-A232  _/ \_
Dept of Computer Science, Utrecht University  T +31 30 253 4106 / \_/ \
Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 251 3791 \_/ \_/
http://www.cs.uu.nl/staff/henkp.html          M penning@cs.uu.nl  \_/

Mime
View raw message