Stefano Bagnara wrote: > Once you have all the dependencies maven works even disconnected.
> You need all the plugins [and] all the > dependencies (system/test/runtime/compile) > in your local repository. What is the fastest way to assure that to be the case? For example, if I run svn up, and do a maven build, is it then safe to disconnect? > one of the main maven feature is that it automatically do this > stuff, maybe it does not make sense to use maven if you want > to manage it all manually. Believe me, if someone had done this work with ant instead of maven, I'd be a lot happier. However, several of our components, and the web-sites, are now built with maven, so unless we decide to ban maven or I redo it in ant (both are equally unlikely at the moment), making this work properly is important. > What I don't understand is that we talked a lot of time about removing > jars from our svn repository because jars should not be included in svn > within sources and everyone seemed to agree You must have missed http://mail-archives.apache.org/mod_mbox/james-server-dev/200509.mbox/%3cNBB [EMAIL PROTECTED] :-) One of the recent repository related discussions was regarding third party dependencies, and we've talked about a repository maintained by ASF projects containing those artifacts upon which they depend. Under such circumstances, I might consider trusting the repository, although still requiring Maven to fix their security issues. > > As a practical matter, I'm more concerned about our project builds than the > > web-site builds, although I'd like to be able to do everything while > > disconnected. > If you already have all of the dependencies installed in your local > repository you're safe. As asked above, how do we ensure that? > If you have all of the dependencies in non-maven2 form (official > download) you can mannually install each of them in your local > repository but this will become a PITA because maven Norman tells me that although he uses Maven to build, but he either manually installs the jars, or checks them by hand. > Btw I still don't get where you add security: I bet that you never > checked that the jars I uploaded to our repository are official and > signed. Anything I pull down from SVN is considered trusted because we presume that our Committers *ARE* doing the right things. No, I would never trust ibiblio. There have already been instances of false artifacts. Again, without signed artifacts, nothing should be trusted that cannot have its origin validated. > Why should you trust things in our svn more than things automatically > downloaded by the temporary maven repository I setup on > people.apache.org for the current poms? I could trust your stuff, since it is downloaded directly from the ASF infrastructure, but that is also the problem. We cannot permit every committer to create their own private repositories on the infrastructure. We need mirroring to support scaling (which surfaces maven's security issue). You really don't want to do what you did, which is why I keep trying to get you communicate on the repository@ list. --- Noel
