www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henri Yandell" <flame...@gmail.com>
Subject Re: [repo] /www/people.apache.org/repo/m1-ibiblio-rsync-repository/
Date Tue, 12 Dec 2006 21:45:45 GMT
On 12/12/06, Steve Loughran <steve.loughran@gmail.com> wrote:
> (replying to all as I dont yet know if dims is on repository@)
> On 12/12/06, Davanum Srinivas <davanum@gmail.com> wrote:
> > Don't worry carlos. Let's set up a process. Let's document what we
> > process we want everyone to conform to on our Wiki then inform infra
> > folks. Let them look it over and then we can set a date for new
> > releases to conform to the policy. Does that sound like a plan?
> >
> 1. Nobody releases artifacts that arent signed off by the relevant PMC.


That's a current rule - enforcement being the key.

> 2. No artifacts get released if their explicit/implicit metadata is invalid


That's a current rule (?) enforcement being the key.

>   -POMs have schema declaration and are valid against the schema
>   -POMs have no unexpanded ${project.version} values
>   -all dependencies resolve. You cannot depend on sun stuff that
> doesnt at least have a stub.
>   -dependency graph is acyclic and no ambiguities (conflicting
> artifacts at the same depth)
>   -until we have an automated solution, all artifacts will be held in
> staging until hand audited. That means scanning the artifact looking
> for common-troublespots (testing artifacts non-optional, etc)
>   -checksums exist and are correct.
>   -MD includes license and POM author info.
> In an ideal world we'd audit the JARs and look for trouble there too.
>  -Java1.5+ class files (warn, dont reject :)

Yeah, as highly likely this could be intentional.

>  -copied in class files from other JARs
> I dont have any stats on how much of an issue this is, yet.
> As far as I'm concerned, the repository team is not over-strict;
> they've been far too forgiving of the stuff that goes in there,
> accepting artifacts in the wrong place and with truly awful metadata.
> Nobody benefits from that.


GPG signing on all artifacts.
Javadoc/Source for all artifacts?
Does this apply to the m1 repository?
Do we clean the current m2 repository?
Does it apply to snapshot repositories?


View raw message