Hi there, Index already contains the SHA1 sums of _indexed_ artifacts (if available). It all depends only on how up-to-date index is (is just released artifacts might not be on index yet...)
HTH, ~t~ On Wed, Aug 27, 2014 at 4:49 PM, Bernd Eckenfels <[email protected]> wrote: > Hello Jason, > > a somewhat related question. would it be possible to publish a SHAxSUM > file of all the artifacts of the repository? I figured this would be much > more efficient than walking any of the repos to validate local mirrors. It > also can be used to detect modifications to released artifacts without the > need of guessing PGP keys. > > Maybe the index process already has that information available... > > Bernd > > -- > http://bernd.eckenfels.net > > ----- Ursprüngliche Nachricht ----- > Von: "Jason van Zyl" <[email protected]> > Gesendet: 27.08.2014 14:11 > An: "Maven Developers List" <[email protected]> > Betreff: [Proposal] New Mirror for Maven Central > > Hi, > > As part of our discussions with Sonatype I would like to propose a new > location for our agreed upon 3rd party mirror for Maven Central. > > About a year ago a friend of mine, Matt Stephenson, who was at Google (he > now works at Square), asked if there was a way to get a copy of Maven > Central for Google to do some analysis and prototyping. I always have an > up-to-date copy of Maven Central and what they wanted to do sounded > interesting and generally useful so I said sure and that I would drop off a > drive for Matt at the SF office. Instead they suggested that I use the new > Cloud infrastructure and setup the mirroring on one of their machines and > so we did that. Over the last year I've worked with Matt and met more > people at Google and ultimately they offered to pay for any of the machines > and bandwidth required to house the mirror of Maven Central. Why would > Google pay for this? They have made some developer tools based on the data, > they have done their own security analysis for the protection of their own > systems that use Java, and they want to leverage a near-copy of Maven > Central for systems like Google App Engine. The cost of storage is nominal > (40 dollars a month for 2TB) and if the cost of the whole system is less > than one FTE (150-200k/year) it's not even going to register. > > I think Google is generally to be thought of as a good OSS partner and > they have supported many programs and efforts for many years. I asked them > a few months ago if they would support the Maven PMC in having a long-term > location for a mirror of Maven Central for our purposes and they liked the > idea. It's mutually beneficial. > > So I would like to propose that we use this infrastructure for the place > for our agreed upon 3rd party mirror location. A few weeks ago I showed > this to Hervé to see what he thought and if it was even a good idea to > propose and we both agreed it would be. I relinquished my admin access to > Hervé in the console so, as the Maven PMC Chair, he can provide access to > anyone who wants to check it out. I believe it would be a great place to do > validation and an easy way for us to provide anyone with copies of Maven > Central who wish it. > > I think it would be a relatively simple change where we can give Sonatype > a key, and then the push moves content to this new infrastructure. > > Matt also setup an experiment to push the content of Maven Central to > Google's CDN which has an HTTPS/S3 interface which you can see here[1]. So > the equivalent access to Ibiblio can be provided by Google. From here we > can also manage a push to Ibiblio to maintain consistency. > > I encourage folks to get access and take a look around, but I think it's a > nice offer from Google. > > [1]: https://central-repo.storage.googleapis.com > > Thanks, > > Jason > > ---------------------------------------------------------- > Jason van Zyl > Founder, Apache Maven > http://twitter.com/jvanzyl > http://twitter.com/takari_io > --------------------------------------------------------- > > believe nothing, no matter where you read it, > or who has said it, > not even if i have said it, > unless it agrees with your own reason > and your own common sense. > > -- Buddha > > > > > > > > > >
