www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefano Bagnara <apa...@bago.org>
Subject James products, independency from ibiblio and poms referring people.apache.org
Date Mon, 02 Oct 2006 19:31:02 GMT
Hi all,

I started a thread about maven2 usage for the James products few weeks 
ago and I received a few suggestions but the thread gone off topic soon.

So I'm here again with what I did and what I would like to do.

I created a root pom for our products:
http://svn.apache.org/repos/asf/james/project/trunk/pom.xml

The interesting part is that I override "central" with the     <repository>
   <id>central</id>
   <name>Apache Main M2 Repository</name>
   <url>http://people.apache.org/repo/m2-ibiblio-rsync-repository</url>
   <releases><enabled>true</enabled></releases>
   <snapshots><enabled>true</enabled></snapshots>
</repository>

Then in jspf (one of our products) I use that project as parent:
http://svn.apache.org/repos/asf/james/jspf/trunk/pom.xml
and I add an "in source tree repository" reference like this one:
<repository>
   <id>local-jspf-3rd-party-m1</id>
   <name>Local jSPF third party repository</name>
   <url>file://${basedir}/repos/third-party-m1</url>
   <layout>legacy</layout>
   <releases><enabled>true</enabled>
     <checksumPolicy>ignore</checksumPolicy>
   </releases>
   <snapshots><enabled>true</enabled>
     <checksumPolicy>ignore</checksumPolicy>
   </snapshots>
</repository>

And I add every dependency that cannot be found on m2/m1 
ibiblio-rsync/snapshot repositories on people.apache.org in the 
repos/third-party-m1 folder using a legacy m1 structure.

In the specific case this files:
repos/third-party-m1/org.jvyaml/jars/jvyaml-0.1.jar
repos/third-party-m1/dnsjava/jars/dnsjava-2.0.1.jar

This way the libraries included in my final release will be retrieved 
only from trusted sources.

And here are the 2 problems I need to address:
1) This way the final pom will have references to 
people.apache.org/repos and I think I understood this is not good for 
ASF policy.
2) maven plugins used to build and test the project (and also the ones 
needed to generate reports and create the website) are still downloaded 
from ibiblio and fallback to codehaus repositories.

I could fix the second point by adding ${basedir}/repos/third-party-m1 
also as pluginRepository and adding ALL of the used plugins to that 
folder but I'm not sure this would be so good, but I really don't know 
how to fix the #1 issue.

I also would like to find a method to create a source package release 
where *every* dependency is included in the package and the pom does not 
include external references: is there an easy way to accomplish this 
requirement?

Maybe I should send this mail to a maven mailing list instead of 
repository.. tell me if this is the case.

I really think that until we wait for maven to solve every issue related 
to repository security ASF should introduce a 3rd party repository to be 
used instead of the file-based "${basedir}/repos" solution. This would 
temporarily increase our builds reliability even not being the final 
solution.

Any critics, hints is welcome ;-)

Stefano


Mime
View raw message