-Mark Diggory
Markus M. May wrote:
Adam is perfectly right about this stuff. There is one more thing we need to
think about. Some repositories treat md5-files different. The structure on
apache.org is [filename - MD5 Hash]. But on ibiblio (maven-repository) it is
just [MD5 Hash]. So this needs to be somehow configurable.
One more thing to think about :-)
Nick wrote:
The MD5 should always come from the authoritative source (apache.org) using https.
I'm not sure if all environments (JVMs) have HTTPS available. In a somewhat perfect world we'd try HTTPS and if it failed try HTTP, unless some 'minimum security' was requested.
I think we'll have to experiment and experince this area over time/iterations.
How are we going to know what the "authoritative" source for a resource is. For java we could enforce a reverse domain name.
Four things:
1) Repository URI/URL is what it is (whatever it is) and the URL for the MD5 ought be the URL for the resources plus ".md5" on the end.
2) As current Ruper thinking (coding) goes ... Mirrors ought mirror the hierarchy, so wherever a resource is in the repo, the .md5 ought be next to it, and the original .md5 ought be in exactly the same relative position (just relative to an apache root).
3) Mirroring is kinda hacked into Ruper right now, it silently moves the root of a repository (originally set relative to the mirror locator CGI script) to one such mirror. As such Ruper doesn't really know about mirrors.
4) We probably need to rethink current thinking... ;-)
regards,
Adam
-- Mark Diggory Software Developer Harvard MIT Data Center http://www.hmdc.harvard.edu
