On 15/07/2011, at 10:27 PM, Spencer Allain wrote: > A full pgp signing plugin is certainly useful, and necessary for the maven > stuff. > > There is value in the less powerful, but still handy MD5 and SHA1 > "signature/digest". I know there are restrictions for some places to not be > allowed to utilize software (read jars) unless both are provided -- since the > probability of creating a false data product that hashes correct to both is > vanishingly small. > > Would MD5/SHA1 hashing belong in such a plugin or would a separate > digest/hashing/checksum plugin make more sense? It would be nice to have > gradle be able to create them without having to manually use the > MessageDigest class - especially since there is already a HashUtil class > within gradle for at least MD5. Two overrides to those methods to allow the > explicit MD5 to be selectable would mean the whole framework is already there > for hashing. > > Thoughts on where such functionality belongs? It would very much mimic how > the signing plugin works (assuming it doesn't belong in that plugin), > although with fewer options because none of the username, password, or file > to read are necessary.
The core mechanics of generating 1-to-1 artifacts based on the content of other produced artifacts will be stripped out of the signing plugin and packaged internally in a more general model. That's about 85% of the signing plugin code. With that in place, and a few more abstractions, checksumming becomes trivial to add. You just provide a thing that takes bytes, and spits out the bytes for the checksum. So to answer the question, checksumming would likely be its own plugin but it would leverage tasks and interfaces that will move from the signing plugin into the core. -- Luke Daley Principal Engineer, Gradleware http://gradleware.com --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email
