On Thu February 19 2009 1:58:43 pm Benson Margulies wrote: > I'm generally positive on this. I've got Nexus deployed here at Basis > with reasonable results. > > I don't like the use of HTTP Basic authentication which requires > putting a password into the maven settings.xml. Is that what we'd be > faced with, or is your remark about the certificate a reflection of a > plan to allow cert-based auth for deployment? If so, I want to learn > how to do it, I want to do it here.
No. It's using https so that the basic auth token isn't passed on the wire in an unencrypted form that would be easy to sniff/decode. It still would require the info in the settings.xml. Thus, we COULD punt on this until maven 2.1 is released which fixes: http://jira.codehaus.org/browse/MNG-553 and would secure it. > Nexus will manage artifacts on 'any old file system'. Why didn't ASF > infra arrange for Nexus to just colonize the existing real estate to > keep the URLs? But I don't object to the change. Infra doesn't want any processes running on people.apache.org. The zones don't have access to it. (I think they are even in different colocs) Thus, that doesn't really work. :-( Dan > > On Thu, Feb 19, 2009 at 1:38 PM, Daniel Kulp <dk...@apache.org> wrote: > > Some of you may be aware that the Maven team (actually Sonatype) has > > installed Nexus repository manager onto a zone at > > http://repository.apache.org. Thus, projects are now being given the > > option to use the Nexus repository instead of the stuff on > > people.apache.org for things like snapshots and/or releases. > > > > One main advantage is that it uses HTTPs for deploys. No futzing with > > ssh/scp to get deploys working. You need to put a setting or two in > > your settings.xml file for auth info, but that's it. The deploys will > > just work. > > > > From a release perspective, it also supports easy staging and promotion. > > When a release is deployed, it goes into a staging area automatically. > > We then call the vote and if the vote passes, it's a push button > > promotion to deploy it to central. Nexus handles all the metadata and > > such. You don't need the maven-stage-plugin anymore. > > > > > > Now for the downsides: > > 1) The https self signed cert they currently use requires some work to > > embed it into your jre keystore. They've asked for a real cert, but > > haven't gotten it yet. > > > > 2) Requires a little user management to put all of use into the "cxf" > > group (if only Apache had ldap....), but Sonatype and the Maven PMC is > > willing to manage that. > > > > 3) User impact: if we decide that snapshots should go to nexus (we could > > just do releases), users that use the snapshots would need to change > > their URL's to grab from the new URL. The links on our wiki would > > need to change as well. > > > > 4) Obviously, our release procedures wiki page would need major updating. > > > > 5) Learning curve: something new. You can see the maven release docs: > > http://maven.apache.org/developers/release/releasing.html > > for a kind of walkthrough of how it would work. (with screen shots!) > > > > > > Anyway, I'd like to hear others thoughts. It MOSTLY applies to myself > > and Willem as we're the only ones that have done releases. However, the > > snapshot stuff applies to Benson and a couple others as well. > > > > -- > > Daniel Kulp > > dk...@apache.org > > http://www.dankulp.com/blog -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog
