I'm forwarding this onto the "Repository" email list.
Dion, the reason I was suggesting it was your action is because files also owned by yourself were added to the commons-jelly/jars directory. I assume it was your upload of those files which altered them so that the md5's no longer matched.
...-rw-rw-r-- 1 dion apcvs 12377 Sep 2 00:39 commons-jelly-tags-validate-20040902.073836.jar -rw-rw-r-- 1 dion apcvs 32 Sep 2 00:39 commons-jelly-tags-validate-20040902.073836.jar.md5
...-rw-rw-r-- 1 dion apcvs 10343 Sep 2 00:39 commons-jelly-tags-velocity-20040902.073917.jar -rw-rw-r-- 1 dion apcvs 32 Sep 2 00:39 commons-jelly-tags-velocity-20040902.073917.jar.md5
...-rw-rw-r-- 1 dion apcvs 161479 Sep 2 00:08 commons-jelly-20040902.070806.jar -rw-rw-r-- 1 dion apcvs 32 Sep 2 00:09 commons-jelly-20040902.070806.jar.md5
...-rw-rw-r-- 1 dion apcvs 35076 Sep 2 00:21 commons-jelly-tags-xml-20040902.072037.jar -rw-rw-r-- 1 dion apcvs 32 Sep 2 00:21 commons-jelly-tags-xml-20040902.072037.jar.md5
-rw-rw-r-- 1 mdiggory apcvs 11489 Sep 2 00:28 commons-jelly-tags-xmlunit-20030211.144251.jar -rw-rw-r-- 1 mdiggory apcvs 33 Jan 19 2004 commons-jelly-tags-xmlunit-20030211.144251.jar.md5
So I was suspecting it was Dion because the published jars under his name like those represented above got transferred last night to ibiblio:
http://www.ibiblio.org/maven/reports/apache/2004/09/02/apache-20040902-050103.txt
All I know is that there was a process running around midnight which walked through this directory and updated jar files within it, breaking some of the md5 signatures on files which were owned by me.
Henk P. Penning wrote:
On Fri, 3 Sep 2004, Dion Gillard wrote:
Date: Fri, 3 Sep 2004 09:11:25 +1000 From: Dion Gillard <[EMAIL PROTECTED]> To: Henk P. Penning <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: Re: md5 errors in java-repository
Sorry guys, I haven't updated those files....?
.. then some of the 909 other members of group apcvs did it.
true, true. We need to get the permissions locked down.
IMHO, these files shouldn't be group writable ; only the directories should be; now file ownership means nothing.
Well, I'm unsure how different individuals are publishing, I assume most are using maven, which will set files permission according to how it coded in the Maven client. If the Maven client were configurable, then maybe this could be managed.
I'm still very curious how java-repository is maintained
-- what stuff is added, and how
Really, its only supposed to be getting full releases published within it.
-- what stuff is deleted and when
Currently, release which are removed from the public should be removed.
Whouldn't it be easier if there was a config like
this-jar FROM that-dist-tgz GOES there ....
so that
-- 'this-jar' can be removed if 'that-dist-tgz' is gone
That would be managed by the project owners, like it is now.
-- installation in java-repository can be automated
Again, Maven, as a client is used to publish a release jar into the repository based on the project that is being worked with on the client side, the structure is fairly "strict".
HPP
---------------------------------------------------------------- _ Henk P. Penning, Computer Systems Group R Uithof CGN-A232 _/ \_ Dept of Computer Science, Utrecht University T +31 30 253 4106 / \_/ \ Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 251 3791 \_/ \_/ http://www.cs.uu.nl/staff/henkp.html M [EMAIL PROTECTED] \_/
-- Mark Diggory Software Developer Harvard MIT Data Center http://www.hmdc.harvard.edu
