On Wed, 5 Jan 2005 23:42:30 +1100, Brett Porter <[EMAIL PROTECTED]> wrote: > > JAR signing needs retrofitting to existing files, but has > > the advantage that JVMs integrate with it and you can do other tricks > > (like put http://ibiblio.org.../artifact.jar on the classpath with > > security turned on) > > That I haven't looked into, but would also be a good, but optional > feature. I think this is more of a build feature than a repository > feature? In fact, I'm sure we already do this for JNLP.
yes, its a build feature. But if every jar was signed then you can verify that it hasnt been tampered with, without having to verify MD5s against those of a remote https site, etc etc. But it is side-effecting on the jar. > > > 2. licenses. not just auto-download of .LICENSE files, but ideally > > some way to do click-through that even Sun are happy with. > > Yeah, there's a low hundreds JIRA entry for that (ie OLD :) I think > even that wouldn't fly with Sun IIRC but it doesn't hurt to ask. I've been talking to Jesse Glick of the Netbeans team; they have some public server with their own ant tasks to click-through licensing every fetch -and provide a key for automated builds if you can justify it. What I'd like is -license only appears if there is a change in the .LICENSE file -in ant, the popup license would be managed so that IDEs, Cruise control can do their own thing. -you could register a set of licenses you always accept : "Apache,LGPL,Sun" That'd need every license to be represented with a family and a version, which means an XML file if I am not mistaken. -steve
