Hello Jason, a somewhat related question. would it be possible to publish a SHAxSUM file of all the artifacts of the repository? I figured this would be much more efficient than walking any of the repos to validate local mirrors. It also can be used to detect modifications to released artifacts without the need of guessing PGP keys.
Maybe the index process already has that information available... Bernd -- http://bernd.eckenfels.net ----- Ursprüngliche Nachricht ----- Von: "Jason van Zyl" <ja...@takari.io> Gesendet: 27.08.2014 14:11 An: "Maven Developers List" <dev@maven.apache.org> Betreff: [Proposal] New Mirror for Maven Central Hi, As part of our discussions with Sonatype I would like to propose a new location for our agreed upon 3rd party mirror for Maven Central. About a year ago a friend of mine, Matt Stephenson, who was at Google (he now works at Square), asked if there was a way to get a copy of Maven Central for Google to do some analysis and prototyping. I always have an up-to-date copy of Maven Central and what they wanted to do sounded interesting and generally useful so I said sure and that I would drop off a drive for Matt at the SF office. Instead they suggested that I use the new Cloud infrastructure and setup the mirroring on one of their machines and so we did that. Over the last year I've worked with Matt and met more people at Google and ultimately they offered to pay for any of the machines and bandwidth required to house the mirror of Maven Central. Why would Google pay for this? They have made some developer tools based on the data, they have done their own security analysis for the protection of their own systems that use Java, and they want to leverage a near-copy of Maven Central for systems like Google App Engine. The cost of storage is nominal (40 dollars a month for 2TB) and if the cost of the whole system is less than one FTE (150-200k/year) it's not even going to register. I think Google is generally to be thought of as a good OSS partner and they have supported many programs and efforts for many years. I asked them a few months ago if they would support the Maven PMC in having a long-term location for a mirror of Maven Central for our purposes and they liked the idea. It's mutually beneficial. So I would like to propose that we use this infrastructure for the place for our agreed upon 3rd party mirror location. A few weeks ago I showed this to Hervé to see what he thought and if it was even a good idea to propose and we both agreed it would be. I relinquished my admin access to Hervé in the console so, as the Maven PMC Chair, he can provide access to anyone who wants to check it out. I believe it would be a great place to do validation and an easy way for us to provide anyone with copies of Maven Central who wish it. I think it would be a relatively simple change where we can give Sonatype a key, and then the push moves content to this new infrastructure. Matt also setup an experiment to push the content of Maven Central to Google's CDN which has an HTTPS/S3 interface which you can see here[1]. So the equivalent access to Ibiblio can be provided by Google. From here we can also manage a push to Ibiblio to maintain consistency. I encourage folks to get access and take a look around, but I think it's a nice offer from Google. [1]: https://central-repo.storage.googleapis.com Thanks, Jason ---------------------------------------------------------- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl http://twitter.com/takari_io --------------------------------------------------------- believe nothing, no matter where you read it, or who has said it, not even if i have said it, unless it agrees with your own reason and your own common sense. -- Buddha
