[jira] Created: (MNG-615) Implement repository POM confidence levels

Wed, 20 Jul 2005 00:28:00 -0700 

Implement repository POM confidence levels
------------------------------------------

         Key: MNG-615
         URL: http://jira.codehaus.org/browse/MNG-615
     Project: Maven 2
        Type: New Feature
  Components: maven-artifact  
 Reporter: Brett Porter
    Priority: Blocker
     Fix For: 2.0-beta-1


let's add a source to the distributionManagement in the POM which is rewritten 
by the repository tool:
"none" - there is no information about the POM's confidence level (the default)
"converted" - converted from a Maven 1.x POM, so we can be sure the format is 
valid but the data within it may be incomplete
"partner" - synced in directly from a partner site (and was a Maven2 POM, 
current partners will be converted instead)
"deployed" - deployed to the repository directly using deploy:deploy
"verified" - hand verified the information in the POM

I think this is a sliding scale of confidence in the data. I think each should 
be able to have an interval attached to it to check for metadata updates (but 
not updates to the JAR itself - this is just about redownloading the POM). By 
default, I would check none and converted daily and the rest never. Once again, 
a CLI switch could check them all again. Your releases could requires a certain 
level of confidence - if you accept anything less than verified, you might risk 
a reproducibility problem in the future. One change that might be needed is to 
get maven-proxy to recognise this.

There have been more than one instance of a jar getting corrupted in the 
repository too. Because once compromised this might be propogated to multiple 
levels we do need a way to do integrity checks of local and internal 
repositories against the main one by checking that the sha1's match up and 
match what is local. This can be something added at a later date, just wanted 
to keep it in mind.



-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to