[
https://issues.apache.org/jira/browse/MRESOLVER-279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17622768#comment-17622768
]
ASF GitHub Bot commented on MRESOLVER-279:
------------------------------------------
michael-o commented on code in PR #203:
URL: https://github.com/apache/maven-resolver/pull/203#discussion_r1002674110
##########
maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/checksum/FileTrustedChecksumsSourceSupport.java:
##########
@@ -151,29 +138,40 @@ protected String configPropKey( String name )
}
/**
- * Returns {@code true} if session configuration contains "originAware"
property set to {@code true}.
+ * Returns {@code true} if session configuration marks this instance as
enabled.
+ * <p>
+ * Default value is {@code false}.
+ */
+ protected boolean isEnabled( RepositorySystemSession session )
+ {
+ return ConfigUtils.getBoolean( session, false, CONFIG_PROP_PREFIX +
this.name );
+ }
+
+ /**
+ * Returns {@code true} if session configuration marks this instance as
origin aware.
+ * <p>
+ * Default value is {@code true}.
*/
protected boolean isOriginAware( RepositorySystemSession session )
{
- return ConfigUtils.getBoolean( session, false, configPropKey(
CONF_NAME_ORIGIN_AWARE ) );
+ return ConfigUtils.getBoolean( session, true, configPropKey(
CONF_NAME_ORIGIN_AWARE ) );
Review Comment:
Does this really make sense since we don't split artifacts by repo neither?
##########
maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/checksum/SummaryFileTrustedChecksumsSource.java:
##########
@@ -27,45 +28,62 @@
import java.io.UncheckedIOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
-import java.nio.file.NoSuchFileException;
import java.nio.file.Path;
import java.util.ArrayList;
-import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
-import java.util.Set;
-import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.atomic.AtomicBoolean;
import org.eclipse.aether.MultiRuntimeException;
import org.eclipse.aether.RepositorySystemSession;
import org.eclipse.aether.artifact.Artifact;
+import org.eclipse.aether.internal.impl.LocalPathComposer;
import org.eclipse.aether.repository.ArtifactRepository;
import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactory;
-import org.eclipse.aether.util.artifact.ArtifactIdUtils;
+import org.eclipse.aether.util.ConfigUtils;
+import org.eclipse.aether.util.FileUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import static java.util.Objects.requireNonNull;
+import static java.util.stream.Collectors.toList;
/**
* Compact file {@link FileTrustedChecksumsSourceSupport} implementation that
use specified directory as base
- * directory, where it expects a "summary" file named as
"checksums.${checksumExt}" for each checksum algorithm, and
- * file format is artifact ID and checksum separated by space per line. The
format supports comments "#" (hash) and
- * empty lines (both are ignored).
+ * directory, where it expects a "summary" file named as
"checksums.${checksumExt}" for each checksum algorithm.
+ * File format is GNU Coreutils compatible: each line holds checksum followed
by two spaces and artifact relative path
+ * (from local repository root, without leading "./"). This means that trusted
checksums summary file can be used to
+ * validate artifacts or generate it using standard GNU tools like GNU {@code
sha1sum} is (for BSD derivatives same
+ * file can be used with {@code -r} switch).
* <p>
- * The source may be configured to be "origin aware", in that case it will
factor in origin repository ID as well into
- * file name (for example "checksums-central.sha1").
+ * The format supports comments "#" (hash) and empty lines for easier
structuring the file content, and both are
+ * ignored. Also, their presence makes the summary file incompatible with GNU
Coreutils format. On save of the
+ * summary file, the comments and empty lines are lost, and file is sorted by
path names for easier diffing
+ * (2nd column in file).
* <p>
- * The checksums file once loaded are cached in session, so in-flight file
changes during lifecycle of session are NOT
- * noticed.
+ * The source by default is "origin aware", and it will factor in origin
repository ID as well into summary file name,
+ * for example "checksums-central.sha256".
+ * <p>
+ * Example commands for managing summary file (in examples will use repository
ID "central"):
+ * <ul>
+ * <li>To create summary file: {@code find * -not -name
"checksums-central.sha256" -type f -print0 |
+ * xargs -0 sha256sum | sort -k 2 > checksums-central.sha256}</li>
+ * <li>To verify artifacts using summary file: {@code sha256sum --quiet -c
checksums-central.sha256}</li>
+ * </ul>
+ * <p>
+ * The checksums summary file is lazily loaded and remains cached in session,
so file changes during lifecycle of the
+ * session are not picked up. This implementation can be simultaneously used
to lookup and also write checksums. The
+ * written checksums will become visible only for writer session, and newly
written checksums, if any, will be flushed
Review Comment:
So this is not really per physical file and NOT per GAV?
> Simplify and improve trusted checksum sources
> ---------------------------------------------
>
> Key: MRESOLVER-279
> URL: https://issues.apache.org/jira/browse/MRESOLVER-279
> Project: Maven Resolver
> Issue Type: Task
> Components: Resolver
> Reporter: Tamas Cservenak
> Assignee: Tamas Cservenak
> Priority: Major
> Fix For: 1.9.0
>
>
> High level changes:
> * support class should meddle way less, it is here to provide some utils and
> protect from future API changes
> * sparse source: use `FileProcessor` both both, checksum read and write
> (instead to mix in `Files.write`)
> * summary source: heavily enhanced, on save it truncate or merges with
> existing summary file, added change detection (prevents save when no change
> to save), summary file is written out atomically, and finally file format is
> made GNU Coreutils formatted, hence is usable with GNU sha1sum and alike OS
> tools
> * introduce FileUtils, Java NIO2 based file writing utility
> For both checksum sources the semantics of concurrent lookup/write is cleared
> up and documented (and fixed in summary). For both purposes (lookup or
> write), the source must be explicitly enabled.
> Tests redone as well, and should work with any writable trusted checksum
> source.
> ----
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
