On 03/05/2010, Brett Porter <[email protected]> wrote: > > On 01/05/2010, at 3:19 AM, Benjamin Bentmann wrote: > > > Hi, > > > > considering the recent fixes to checksums for stuff in central, I was > wondering what's the overall state of (existing) checksums on central these > days? > > > Probably still not great. > > We aren't using these for an integrity-of-the-repository purpose, so perhaps > it's a good time to automatically fix them on central (keeping a record of > what was changed, and what it used to be just in case), then turn on the fail > option by default. You can be sure if it fails by default that content will > be more carefully managed :) >
Seems to me that ideally the problems should be fixed at source, i.e. on the forge (if that's the correct Maven term) that provided the original data. Unless there is some independent way of checking that the files being hashed are the correct files, creating new hashes seems like a bad idea, as it would allow a corrupt version to be introduced. Creating new hashes is very different from fixing the format of hash files. Seems to me that the first step is to prevent any new files being added to central unless they have valid hashes and signatures to stop the problem getting worse - or has that already been done? > > > > Assuming checksums are correct where present, this should put us in a good > position to introduce a new checksum policy "fail-if-present" or just > "strict" some day. The difference to the existing "fail" policy would be to > only fail the build if at least one checksum file to verify is actually > present. Making this policy the default for central would reduce the grief > caused by Maven happily downloading HTTP status pages and trying to build > class paths from HTML files... > > > > > > Benjamin > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > -- > Brett Porter > [email protected] > http://brettporter.wordpress.com/ > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
