Author: stevel
Date: Mon Mar 6 13:47:42 2006
New Revision: 383684
URL: http://svn.apache.org/viewcvs?rev=383684&view=rev
Log:
This bit of complexity verifies the sha1 key of the m2 library against what is
in the libraries file.
Provided the ant distro is validated, this ensures that the maven library that
comes down is also valid.
Modified:
ant/core/trunk/fetch.xml
ant/core/trunk/lib/libraries.properties
Modified: ant/core/trunk/fetch.xml
URL:
http://svn.apache.org/viewcvs/ant/core/trunk/fetch.xml?rev=383684&r1=383683&r2=383684&view=diff
==============================================================================
--- ant/core/trunk/fetch.xml (original)
+++ ant/core/trunk/fetch.xml Mon Mar 6 13:47:42 2006
@@ -77,6 +77,7 @@
<target name="probe-m2" depends="pick-dest">
<!-- Look for M2 ant tasks in our classpath-->
+ <property name="m2.artifact" location="${dest.dir}/${m2.jar.name}"/>
<available property="m2.antlib.found"
resource="org/apache/maven/artifact/ant/antlib.xml" />
<condition property="m2.antlib.typefound">
@@ -85,18 +86,48 @@
</target>
- <target name="get-m2" depends="probe-m2,pick-dest" unless="m2.antlib.found">
+ <target name="download-m2" depends="probe-m2,pick-dest"
unless="m2.antlib.found">
<!-- fetch M2 ant tasks into our repository, if it is not there-->
<get src="${m2.antlib.url}"
- dest="${dest.dir}/${m2.jar.name}"
+ dest="${m2.artifact}"
verbose="true"
usetimestamp="false"/>
+ </target>
+
+ <target name="dont-validate-m2-checksum" depends="probe-m2"
+ if="m2.antlib.found">
+ <property name="checksum.equal" value="true" />
+ </target>
+
+ <target name="validate-m2-checksum"
+ depends="download-m2,dont-validate-m2-checksum"
+ if="m2.sha1.checksum" unless="m2.antlib.found">
+ <checksum file="${m2.artifact}"
+ algorithm="SHA"
+ property="${m2.sha1.checksum}"
+ verifyProperty="checksum.equal"/>
+ </target>
+
+ <target name="checksum-mismatch" depends="validate-m2-checksum"
+ unless="checksum.equal" if="m2.sha1.checksum">
+ <delete file="${m2.artifact}"/>
+ <fail >
+ Failed to verify the downloaded file ${m2.antlib.url}" against the
checksum
+ coded into libraries.properties.
+ The local copy has been deleted, for security reasons
+ </fail>
+ </target>
+
+ <target name="checksum-match" depends="checksum-mismatch"
+ unless="checksum.equal">
<fail status="0">
- The Maven2 JAR has been installed; rerun ant to load it.
+ The Maven2 JAR has been installed; rerun Ant to load it.
</fail>
- </target>
-
-
+ </target>
+
+ <target name="get-m2" depends="checksum-match"
+ description="Download the Maven2 Ant tasks"/>
+
<target name="macros" depends="get-m2"
xmlns:artifact="antlib:org.apache.maven.artifact.ant">
Modified: ant/core/trunk/lib/libraries.properties
URL:
http://svn.apache.org/viewcvs/ant/core/trunk/lib/libraries.properties?rev=383684&r1=383683&r2=383684&view=diff
==============================================================================
--- ant/core/trunk/lib/libraries.properties (original)
+++ ant/core/trunk/lib/libraries.properties Mon Mar 6 13:47:42 2006
@@ -1,13 +1,15 @@
#this file declares the libraries for use in
#a given release of the components
-m2.version=2.0
+#if you change this, change the checksum to match
+m2.version=2.0.1
m2.url=http://ibiblio.org/maven2/
m2.artifact-name=maven-artifact-ant
m2.jar.name=${m2.artifact-name}-${m2.version}-dep.jar
#this is the URL of the antlib library, that is pulled down for everything
else.
m2.antlib.url=${m2.url}/org/apache/maven/${m2.artifact-name}/${m2.version}/${m2.jar.name}
-
+#this is the sha1 checksum of the artifact
+m2.sha1.checksum=7240828f1744c1f9f8b158a026ac368a03f536a3
#versions of different libraries. Please keep in alphabetical order, except
@@ -23,7 +25,7 @@
junit.version=3.8.1
jsch.version=0.1.17
jython.version=3.8.1
-log4j.version=1.2.12
+log4j.version=1.2.13
#rhino.version=1.5R5
oro.version=2.0.8
regexp.version=1.3
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
