[jira] Closed: (MNG-615) Implement repository POM confidence levels

Wed, 27 Jul 2005 23:26:00 -0700 

     [ http://jira.codehaus.org/browse/MNG-615?page=all ]
     
Brett Porter closed MNG-615:
----------------------------

    Resolution: Fixed

> Implement repository POM confidence levels
> ------------------------------------------
>
>          Key: MNG-615
>          URL: http://jira.codehaus.org/browse/MNG-615
>      Project: Maven 2
>         Type: New Feature
>   Components: maven-artifact
>     Reporter: Brett Porter
>     Assignee: Brett Porter
>     Priority: Blocker
>      Fix For: 2.0-beta-1

>
>
> let's add a source to the distributionManagement in the POM which is 
> rewritten by the repository tool:
> "none" - there is no information about the POM's confidence level (the 
> default)
> "converted" - converted from a Maven 1.x POM, so we can be sure the format is 
> valid but the data within it may be incomplete
> "partner" - synced in directly from a partner site (and was a Maven2 POM, 
> current partners will be converted instead)
> "deployed" - deployed to the repository directly using deploy:deploy
> "verified" - hand verified the information in the POM
> I think this is a sliding scale of confidence in the data. I think each 
> should be able to have an interval attached to it to check for metadata 
> updates (but not updates to the JAR itself - this is just about redownloading 
> the POM). By default, I would check none and converted daily and the rest 
> never. Once again, a CLI switch could check them all again. Your releases 
> could requires a certain level of confidence - if you accept anything less 
> than verified, you might risk a reproducibility problem in the future. One 
> change that might be needed is to get maven-proxy to recognise this.
> There have been more than one instance of a jar getting corrupted in the 
> repository too. Because once compromised this might be propogated to multiple 
> levels we do need a way to do integrity checks of local and internal 
> repositories against the main one by checking that the sha1's match up and 
> match what is local. This can be something added at a later date, just wanted 
> to keep it in mind.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to