www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefano Bagnara <apa...@bago.org>
Subject Re: maven2 based releases for the james project and ASF policy
Date Mon, 18 Sep 2006 16:45:04 GMT
Hi Brett,

I read your proposal maybe more than 1 month ago, and it seems very good 
to me.

IIRC this is something still being discussed and there is no real 
roadmap (no developer to be assigned) for it to be included in the next 
maven 2.1 release: is this correct?

Otherwise, can you give an ETA for this stuff? I don't want to hurry 
you, I just would like to have an estimate time (1 month? 3 months? 1 
year?) so that we can take it into consideration while discussing 
alternative interim solutions.

I CC general@james.apache.org (where Noel was discussing with us about 
this topic, before I moved to repository@ to find further suggestions) 
so we've much more probability Noel is listening.


Brett Porter wrote:
> On 17/09/06, Stefano Bagnara <apache@bago.org> wrote:
>> One of James PMC members is concerned (and we, other PMC member, agree
>> on his concerns) about the security issues introduced by downloading
>> artifacts from ibiblio or its mirrors, so we are trying to find an
>> interim solution while ASF define a common way.
> BTW, as I'm sure Noel is listening - I'm still waiting on his feedback
> to the proposal I put up specifically about his concerns.
> http://docs.codehaus.org/display/MAVEN/Repository+Security+Improvements
> On this thread, one gotcha I'll note about using file:/ repositories -
> it may be difficult to get them to work as expected in a multiple
> module project. They can still work, it just requires redefining them
> in all POMs that use it, you can't inherit it with the correct
> directory settings.
> Thanks,
> Brett
>> Here is what I've proposed:
>> 1) create a "repository/third-party-m1" folder in our
>> svn.apache.org/repos/asf/james repository.
>> 2) commit there our current third party dependencies (BSD/CDDL/MIT/ASF)
>> 3) export the content of this repository on a subfolder of our
>> james.apache.org website (james.apache.org/repos/third-party-m1 could be
>> a good candidate) so that we don't link directly the SVN server but a
>> mirrored resource (websites are mirrored, right?)
>> 4) add this "james.apache.org/repos/third-party-m1" to our main pom
>> (overwriting ibiblio).
>> We would still use the 2 ASF-wide maven repositories to publish our
>> official release or to read ASF jars and for our snapshots needs.
>> Does ASF policy allow us to do this? WDYT?
>> Stefano

View raw message