michael-o commented on code in PR #203:
URL: https://github.com/apache/maven-resolver/pull/203#discussion_r1004095720
##########
maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/checksum/SummaryFileTrustedChecksumsSource.java:
##########
@@ -27,45 +28,62 @@
import java.io.UncheckedIOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
-import java.nio.file.NoSuchFileException;
import java.nio.file.Path;
import java.util.ArrayList;
-import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
-import java.util.Set;
-import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.atomic.AtomicBoolean;
import org.eclipse.aether.MultiRuntimeException;
import org.eclipse.aether.RepositorySystemSession;
import org.eclipse.aether.artifact.Artifact;
+import org.eclipse.aether.internal.impl.LocalPathComposer;
import org.eclipse.aether.repository.ArtifactRepository;
import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactory;
-import org.eclipse.aether.util.artifact.ArtifactIdUtils;
+import org.eclipse.aether.util.ConfigUtils;
+import org.eclipse.aether.util.FileUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import static java.util.Objects.requireNonNull;
+import static java.util.stream.Collectors.toList;
/**
* Compact file {@link FileTrustedChecksumsSourceSupport} implementation that
use specified directory as base
- * directory, where it expects a "summary" file named as
"checksums.${checksumExt}" for each checksum algorithm, and
- * file format is artifact ID and checksum separated by space per line. The
format supports comments "#" (hash) and
- * empty lines (both are ignored).
+ * directory, where it expects a "summary" file named as
"checksums.${checksumExt}" for each checksum algorithm.
+ * File format is GNU Coreutils compatible: each line holds checksum followed
by two spaces and artifact relative path
+ * (from local repository root, without leading "./"). This means that trusted
checksums summary file can be used to
+ * validate artifacts or generate it using standard GNU tools like GNU {@code
sha1sum} is (for BSD derivatives same
+ * file can be used with {@code -r} switch).
* <p>
- * The source may be configured to be "origin aware", in that case it will
factor in origin repository ID as well into
- * file name (for example "checksums-central.sha1").
+ * The format supports comments "#" (hash) and empty lines for easier
structuring the file content, and both are
+ * ignored. Also, their presence makes the summary file incompatible with GNU
Coreutils format. On save of the
+ * summary file, the comments and empty lines are lost, and file is sorted by
path names for easier diffing
+ * (2nd column in file).
* <p>
- * The checksums file once loaded are cached in session, so in-flight file
changes during lifecycle of session are NOT
- * noticed.
+ * The source by default is "origin aware", and it will factor in origin
repository ID as well into summary file name,
+ * for example "checksums-central.sha256".
+ * <p>
+ * Example commands for managing summary file (in examples will use repository
ID "central"):
+ * <ul>
+ * <li>To create summary file: {@code find * -not -name
"checksums-central.sha256" -type f -print0 |
+ * xargs -0 sha256sum | sort -k 2 > checksums-central.sha256}</li>
+ * <li>To verify artifacts using summary file: {@code sha256sum --quiet -c
checksums-central.sha256}</li>
+ * </ul>
+ * <p>
+ * The checksums summary file is lazily loaded and remains cached in session,
so file changes during lifecycle of the
+ * session are not picked up. This implementation can be simultaneously used
to lookup and also write checksums. The
+ * written checksums will become visible only for writer session, and newly
written checksums, if any, will be flushed
Review Comment:
This is basically what I understood.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
