> I'll be the Ant rep. Great, thanks.
> I am co-author of the (still stabilising) Ant <libraries> task; it'd yeah, I've got to 50 mail threads sitting flagged in gmail to read one day, as this is about the extent of what I know about it :) (after you introduced it to repository@ last year) > 1. security. this could be with MD5 checksums, or it could be with > signed JARs. MD5's aren't going to do much for security - they're mainly for download integrity. checking and publishing ASC files is a definite want I have, and that can be ramped up to the level of security you need (there are obviously varying levels of trust of the files and the KEYS themselves). > JAR signing needs retrofitting to existing files, but has > the advantage that JVMs integrate with it and you can do other tricks > (like put http://ibiblio.org.../artifact.jar on the classpath with > security turned on) That I haven't looked into, but would also be a good, but optional feature. I think this is more of a build feature than a repository feature? In fact, I'm sure we already do this for JNLP. > 2. licenses. not just auto-download of .LICENSE files, but ideally > some way to do click-through that even Sun are happy with. Yeah, there's a low hundreds JIRA entry for that (ie OLD :) I think even that wouldn't fly with Sun IIRC but it doesn't hurt to ask. Should be easy to add hooks and allow a user to say "never ask again for this license" to always accept ASL or something, but still report the license on download. Good ideas and reminders - keep them coming, and I'll put all this together on the wiki tomorrow-ish. Thanks, Brett
