Hi Brett,
I read your proposal maybe more than 1 month ago, and it seems very good
to me.
IIRC this is something still being discussed and there is no real
roadmap (no developer to be assigned) for it to be included in the next
maven 2.1 release: is this correct?
Otherwise, can you give an ETA for this stuff? I don't want to hurry
you, I just would like to have an estimate time (1 month? 3 months? 1
year?) so that we can take it into consideration while discussing
alternative interim solutions.
I CC [email protected] (where Noel was discussing with us about
this topic, before I moved to repository@ to find further suggestions)
so we've much more probability Noel is listening.
Stefano
Brett Porter wrote:
On 17/09/06, Stefano Bagnara <[EMAIL PROTECTED]> wrote:
One of James PMC members is concerned (and we, other PMC member, agree
on his concerns) about the security issues introduced by downloading
artifacts from ibiblio or its mirrors, so we are trying to find an
interim solution while ASF define a common way.
BTW, as I'm sure Noel is listening - I'm still waiting on his feedback
to the proposal I put up specifically about his concerns.
http://docs.codehaus.org/display/MAVEN/Repository+Security+Improvements
On this thread, one gotcha I'll note about using file:/ repositories -
it may be difficult to get them to work as expected in a multiple
module project. They can still work, it just requires redefining them
in all POMs that use it, you can't inherit it with the correct
directory settings.
Thanks,
Brett
Here is what I've proposed:
1) create a "repository/third-party-m1" folder in our
svn.apache.org/repos/asf/james repository.
2) commit there our current third party dependencies (BSD/CDDL/MIT/ASF)
3) export the content of this repository on a subfolder of our
james.apache.org website (james.apache.org/repos/third-party-m1 could be
a good candidate) so that we don't link directly the SVN server but a
mirrored resource (websites are mirrored, right?)
4) add this "james.apache.org/repos/third-party-m1" to our main pom
(overwriting ibiblio).
We would still use the 2 ASF-wide maven repositories to publish our
official release or to read ASF jars and for our snapshots needs.
Does ASF policy allow us to do this? WDYT?
Stefano
