cstamas commented on code in PR #203: URL: https://github.com/apache/maven-resolver/pull/203#discussion_r1004085010
########## maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/checksum/SummaryFileTrustedChecksumsSource.java: ########## @@ -27,45 +28,62 @@ import java.io.UncheckedIOException; import java.nio.charset.StandardCharsets; import java.nio.file.Files; -import java.nio.file.NoSuchFileException; import java.nio.file.Path; import java.util.ArrayList; -import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Objects; -import java.util.Set; -import java.util.TreeSet; import java.util.concurrent.ConcurrentHashMap; +import java.util.concurrent.atomic.AtomicBoolean; import org.eclipse.aether.MultiRuntimeException; import org.eclipse.aether.RepositorySystemSession; import org.eclipse.aether.artifact.Artifact; +import org.eclipse.aether.internal.impl.LocalPathComposer; import org.eclipse.aether.repository.ArtifactRepository; import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactory; -import org.eclipse.aether.util.artifact.ArtifactIdUtils; +import org.eclipse.aether.util.ConfigUtils; +import org.eclipse.aether.util.FileUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import static java.util.Objects.requireNonNull; +import static java.util.stream.Collectors.toList; /** * Compact file {@link FileTrustedChecksumsSourceSupport} implementation that use specified directory as base - * directory, where it expects a "summary" file named as "checksums.${checksumExt}" for each checksum algorithm, and - * file format is artifact ID and checksum separated by space per line. The format supports comments "#" (hash) and - * empty lines (both are ignored). + * directory, where it expects a "summary" file named as "checksums.${checksumExt}" for each checksum algorithm. + * File format is GNU Coreutils compatible: each line holds checksum followed by two spaces and artifact relative path + * (from local repository root, without leading "./"). This means that trusted checksums summary file can be used to + * validate artifacts or generate it using standard GNU tools like GNU {@code sha1sum} is (for BSD derivatives same + * file can be used with {@code -r} switch). * <p> - * The source may be configured to be "origin aware", in that case it will factor in origin repository ID as well into - * file name (for example "checksums-central.sha1"). + * The format supports comments "#" (hash) and empty lines for easier structuring the file content, and both are + * ignored. Also, their presence makes the summary file incompatible with GNU Coreutils format. On save of the + * summary file, the comments and empty lines are lost, and file is sorted by path names for easier diffing + * (2nd column in file). * <p> - * The checksums file once loaded are cached in session, so in-flight file changes during lifecycle of session are NOT - * noticed. + * The source by default is "origin aware", and it will factor in origin repository ID as well into summary file name, + * for example "checksums-central.sha256". + * <p> + * Example commands for managing summary file (in examples will use repository ID "central"): + * <ul> + * <li>To create summary file: {@code find * -not -name "checksums-central.sha256" -type f -print0 | + * xargs -0 sha256sum | sort -k 2 > checksums-central.sha256}</li> + * <li>To verify artifacts using summary file: {@code sha256sum --quiet -c checksums-central.sha256}</li> + * </ul> + * <p> + * The checksums summary file is lazily loaded and remains cached in session, so file changes during lifecycle of the + * session are not picked up. This implementation can be simultaneously used to lookup and also write checksums. The + * written checksums will become visible only for writer session, and newly written checksums, if any, will be flushed Review Comment: As explained above, summary contains a list of file -> checksum for given algorithm (one file is one algorithm). Moreover, the default is "origin aware", so that above is really "list of files -> checksum for given algorith per repository". Actually am unsure what you ask here, "not per file and not per gav"? What is it then? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org