On Wed, 2004-06-09 at 00:11, Julian C. Dunn wrote: > Well, we all "hope" that nobody mucks up the repository, but that only > gets you so far -- all you have to do is to ask the Debian or FSF > maintainers whose sites got cracked how far "hope" gets you.
Yes, I'm well aware. It's not like I'm floating along in la-la land. But I don't have infinite time and I tackle what I can as does anyone else contributing to maven. > I would > rather that the Maven community take proactive steps to rectify this, > rather than getting egg on our collective faces when the repo does get > mangled, either by accident or on purpose. Rest assured, we have. Again things are tackled as deemed fit and many people like to comment but when it comes to stepping up to the plate to actually doing any work expectations fall much shorter than desired. > I'll give you an example of a case where even "accidental" repo mangling > has caused us grief: commons-configuration. The JAR that is up there on > ibiblio labelled 1.0-dev doesn't contain the same code as the current one > (also labelled 1.0-dev) which you can download off the Jakarta site. I had > a developer run across this just today: when he ran his code against what > he thought was the "correct" 1.0-dev JAR but was in fact the old one from > ibiblio, the code blew up, predictably. Yes, these things happen and is mostly due in part to some lax upload procedures and people using -dev extensions as -SNAPSHOT extension which they were warned about eons ago. This package comes from authors originally from turbine where the -dev preference exists. You were screwed by that practice not by maven inherently. We are trying to close up the gaps wrt to distribution but whenever there is a gap you can rest assured that someone will find it and you got bit in the ass. > In my mind, the correct approach as suggested by Casey, Pryce et al. is to > store the MD5 or SHA1 checksums offline, i.e. not in the same place the > JARs themselves, and then to to transfer those securely. This is basically > the approach used by the FreeBSD ports system or NetBSD pkgsrc. The actual > transfer of the JARs need not be secure as long as the checksums are > trustworthy. If you would like to expand on that and make a little doc with some references I will happily add it to the wiki material that exists there already. > - Julian -- jvz. Jason van Zyl [EMAIL PROTECTED] http://maven.apache.org happiness is like a butterfly: the more you chase it, the more it will elude you, but if you turn your attention to other things, it will come and sit softly on your shoulder ... -- Thoreau --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]