Re: MD5, SHA1, but nothing (still) safe?
Mickael Istria writes: > While I'm investigating into Maven code to allow re-using checksums of > Maven artifacts when "p2-ifying" them with Tycho, I noticed only .md5 and > .sha1 seems to be used by Wagon and then also noticed that Maven Central > doesn't contain a "safe" digest signature either. [...] > Is there an issue already open to move towards sha256 or should I create a > new one? Michael, as you know, Maven differs from Equinox's p2 approach to resolve and download artifacts - in Maven world, closest match to what p2 does would be a combination of Sonatype Nexus' Remote Index (metadata) and repo.maven.apache.org (artifacts). So that Maven would first download remote index (from an ultimately trusted source, which provides additional information about available artifacts, including checksums) and resolve list of dependencies to download based on that information only. In a second step, it would download actual artifacts using either the same repo.maven.apache.org or any other source. This second step can then use less trusted sources (3rd-party mirrors). This difference seems to me as root cause of the initial confusion with your question. With this in mind, as was mentioned already, moving to stronger checksums is not that important or useful for Maven. All discussion about more stronger checksums in p2 [1] was relevant only because my goal was to enable support for peer-to-peer protocols (more generally, any content-addressable storage AKA bittorrent, ipfs and alike) alongside to location-addressable storage. And for this use case support for extensible set of (cryptographically strong) checksum algorightms is a must. [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=423715 -- Mykola Libre/Free Java Software Developer https://manandbytes.gitlab.io/ - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: Paypal Declares Latest Release Pom in Maven Central
Petar Tahchiev writes: [...] > Is there any way to tell Paypal to update their pom.xml and upload a > new version? Voting with your $$$ aside, try this: https://github.com/paypal/merchant-sdk-java/commit/62fc5b74bc964fb3cf5f69c70e2a25ab70064e66.patch -- Mykola Libre/Free Java Software Developer https://manandbytes.gitlab.io/ - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: Build DAG traversal.
Paul Hammant writes: > mvn clean install -DskipTests > -Dmaven.repo.local=/usr/local/var/MAVEN_CI_REPOSITORY This would compile and test-compile for the first time... > mvn surefire:test -Dmaven.repo.local=/usr/local/var/MAVEN_CI_REPOSITORY Run compile and test-compile one more time, on the same sources, for artifacts that had been just installed. Does it make sense to skip them with '-Dmaven.main.skip=true -Dmaven.test.skip=true' [1]? [1] https://maven.apache.org/plugins/maven-compiler-plugin/compile-mojo.html#skipMain -- Mykola Libre/Free Java Software Engineer https://manandbytes.gitlab.io/ - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
[jira] Created: (MPMULTIPROJECT-56) Wrong basedir property in producess unusefull error message
Wrong basedir property in producess unusefull error message Key: MPMULTIPROJECT-56 URL: http://jira.codehaus.org/browse/MPMULTIPROJECT-56 Project: maven-multiproject-plugin Type: Bug Versions: 1.4.1 Environment: Linux, Maven 1.0.2/Maven 1.1-beta-1 Reporter: Mykola Nikishov Assigned to: Brett Porter Attachments: extendbug.tar.gz, wrongextend.patch In one of my projects I've misspelt basedir property in such way: --- ok/project.xml 2005-08-05 00:55:49.0 +0300 +++ bug/project.xml 2005-08-05 00:55:28.0 +0300 @@ -1,6 +1,6 @@ -${basedir}/../project.xml +{$basedir}/../project.xml 3 and Maven reported about: File.. /home/mn/.maven/cache/maven-multiproject-plugin-1.4.1/plugin.jelly Element... maven:reactor Line.. 64 Column 9 Unknown error reading project for Maven 1.1-beta-1 and File.. /home/mn/.maven/cache/maven-multiproject-plugin-1.4.1/plugin.jelly Element... maven:reactor Line.. 64 Column 9 Parent POM is equal to the current POM for Maven 1.0.2 -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]