Hi, I was trying to come up with a description of what it would take to make a repository really trustworthy.
As I was writing it I thought...didn't I see something like this on the Maven site. So here I am. Anyways, I wrote the description in a cookbook format. If this matches a subset of what archiva does, then we could use the description in the archiva documents perhaps. If there are differences I would be really interested in what they are. I'll be glad to incorporate them into the description and resubmit, if someone has time to review the info. Here it is (Thanks): Challenge Ensuring that versioning happens on maven repository artifacts, along with signature checking on repository provided dependencies. Solution See discussion Discussion Developers need to be assured that the versions they have in their local repository are not updated WITHOUT a corresponding version revision. For example suppose someone wants to try out ApacheDS, and they also want to build it themselves. Suppose that ApacheDS has the following dependency: <dependency> <artifactId>SuperImportantArtifact</artifactId> <version>SuperImportantArtifact</version> <scope>compile</scope> </dependency> Suppose the provider of SuperImportantArtifact makes a few changes and uploads the changes to ibiblio, however the provider forgets to change the version correspondingly. Next someone checks out the ApacheDS build and builds it. Maven downloads the dependencies it needs from Ibiblio, including SuperImportantArtifact. However the developer is getting build errors. We know why in this case. How do we insure that this case does not happen. Proposal * Artifact Download Concern Have the repository deployer calculate a checksum for artifacts and write the checksum to repository meta data. When maven deploys and artifact, have it write the checksums into the pom artifact for all the dependencies, and rewrite it's own pom with these checksums built in. So now if someone checks out the build from subversion..say.. the pom is checksum aware, and can validate the corresponding checksum using repository meta data for dependencies that it downloads. * Artifact Upload Concern Create a Maven Repository Server that performs revision checking. If someone tries to upload an artifact without changing the version (overwriting and existing artifact), the server complains and sends the complaint back to maven. Maven then just logs it to the console. This ensures that an artifact does not get overwritten without changing the version. * Summary I think with the above two concerns address the process should be fairly tight. We have a unique signature on dependencies, so we match this up with the signature on the repository before the dependency is downloaded. If the signatures don't match, we cancel the build. We also check the upload to make sure that version revision happens. ____________________________________________________________________________________ Any questions? Get answers on any topic at www.Answers.yahoo.com. Try it now.