Steve Loughran wrote:
OK, now that Ant1.6 has antlibs, it is time to think of the next step: auto download of antlibs and (perhaps) dependencies.
1. Possible requirements
-allow users to specify the URLs of dependent antlibs -allow teams to provide an override point that specifies their location -secure download -only files from trusted sources are fetched.
Signed jars ?
that was roughly my thought. But then you need a signature trust model with certificate handling and the like, security panics, etc etc. Having a simpler 'no security at all' option is more brutally honest and a lot easier :)
But security is a big issue for behind the firewall stuff. I am setting up cruisecontrol to run against the work project we are doing (smartfrog.org), whose CVS repository is sourceforge. So now I have to worry about how to download and run arbitrary source from sforge, without giving that code arbitrary access to behind the firewall systems (you know, the ones with all the SysV source, in case some malicious build file secretly starts copying lines from sysv into the linux-64 repository). I am going to have to resort to hardware (dedicated box outside the wall) or software -a vmware configuration, maybe with something emulating a router that only routes outside both our class A subnets. (yes, *both* class A subnets :)
-caching of downloads, global or per-user -go through proxies -allow antlib providers to move their files (handle redirects)
Is this really needed ?
Maybe not at first. But 302 redirs are very useful over time.
-allow antlib providers to mirror, by having a mirror file that lists possible sources
I would add: support for sourceforge-like mirrors and "click" repositories.
-support private repositories (intranet/internet, https, authenticated) as well as public sources
-make it easy to publish an antlib, and register it in the ant central list
And if possible, a single central list :-)
no, too much maintenance :)
Anything else?
- support for multiple repository types ? It would be really nice if the tool would be able to fetch RPM/APT dependencies ( from jpackage or a similar repo ), as well as maven and other descriptors.
aah, too many features!
2. What things implement this? What do Maven and Ruper do?
3. do we want to integrate this with ant, or have some more standalone tool that can be used to keep a component repository up to date, a tool with an ant task for use in a build file. A sort of apt-get for apache stuff...
I think having this bundled/integrated with ant would be an excelent idea !
I am looking at ruper. I like the GUI too -and I like the ability to say you want to subscribe to, say junit and xalan & have bits of your system kept up to date. (of course, unlike the rpm tools it is not the JRE we are maintaining, just individual projects or users)
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
