[ https://issues.apache.org/jira/browse/SOLR-14688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17306659#comment-17306659 ]
Noble Paul commented on SOLR-14688: ----------------------------------- We expect the whole system to be a single artifact How I expect it to work. You make your packaged Solr with the jars and the hash of the jars included in the package. /solr/ /trusted_artifacts.txt (location of this file TBD) /userfiles/ /jar1.jar (this can be anywhere under the userfiles) /jar2.jar package manager should read and keep a copy of trusted_artifacts.txt in memory (if it is present). When a jar is to be loaded and it has no corresponding metadata, it checks if the hash of the jar is present in trusted_artifacts.txt. if yes, it totally bypasses verifying the jar using public key stored in ZK > First party package implementation design > ----------------------------------------- > > Key: SOLR-14688 > URL: https://issues.apache.org/jira/browse/SOLR-14688 > Project: Solr > Issue Type: Improvement > Reporter: Noble Paul > Priority: Major > Labels: package, packagemanager > > Here's the design document for first party packages: > https://docs.google.com/document/d/1n7gB2JAdZhlJKFrCd4Txcw4HDkdk7hlULyAZBS-wXrE/edit?usp=sharing > Put differently, this is about package-ifying our "contribs". -- This message was sent by Atlassian Jira (v8.3.4#803005)