I'm forwarding this onto the "Repository" email list.

Dion, the reason I was suggesting it was your action is because files also owned by yourself were added to the commons-jelly/jars directory. I assume it was your upload of those files which altered them so that the md5's no longer matched.

-rw-rw-r--  1 dion      apcvs   12377 Sep  2 00:39 
-rw-rw-r--  1 dion      apcvs      32 Sep  2 00:39 
-rw-rw-r--  1 dion      apcvs   10343 Sep  2 00:39 
-rw-rw-r--  1 dion      apcvs      32 Sep  2 00:39 
-rw-rw-r--  1 dion      apcvs  161479 Sep  2 00:08 
-rw-rw-r--  1 dion      apcvs      32 Sep  2 00:09 
-rw-rw-r--  1 dion      apcvs   35076 Sep  2 00:21 
-rw-rw-r--  1 dion      apcvs      32 Sep  2 00:21 
-rw-rw-r--  1 mdiggory  apcvs   11489 Sep  2 00:28 
-rw-rw-r--  1 mdiggory  apcvs      33 Jan 19  2004 

So I was suspecting it was Dion because the published jars under his name like those represented above got transferred last night to ibiblio:


All I know is that there was a process running around midnight which walked through this directory and updated jar files within it, breaking some of the md5 signatures on files which were owned by me.

Henk P. Penning wrote:
On Fri, 3 Sep 2004, Dion Gillard wrote:

Date: Fri, 3 Sep 2004 09:11:25 +1000
From: Dion Gillard <[EMAIL PROTECTED]>
Subject: Re: md5 errors in java-repository

Sorry guys, I haven't updated those files....?

  .. then some of the 909 other members of group apcvs did it.

true, true. We need to get the permissions locked down.

  IMHO, these files shouldn't be group writable ;
  only the directories should be; now file ownership
  means nothing.

Well, I'm unsure how different individuals are publishing, I assume most are using maven, which will set files permission according to how it coded in the Maven client. If the Maven client were configurable, then maybe this could be managed.

I'm still very curious how java-repository is maintained

-- what stuff is added, and how

Really, its only supposed to be getting full releases published within it.

-- what stuff is deleted and when

Currently, release which are removed from the public should be removed.

Whouldn't it be easier if there was a config like

    this-jar FROM that-dist-tgz GOES there

  so that

-- 'this-jar' can be removed if 'that-dist-tgz' is gone

That would be managed by the project owners, like it is now.

-- installation in java-repository can be automated

Again, Maven, as a client is used to publish a release jar into the repository based on the project that is being worked with on the client side, the structure is fairly "strict".


----------------------------------------------------------------   _
Henk P. Penning, Computer Systems Group       R Uithof CGN-A232  _/ \_
Dept of Computer Science, Utrecht University  T +31 30 253 4106 / \_/ \
Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 251 3791 \_/ \_/
http://www.cs.uu.nl/staff/henkp.html          M [EMAIL PROTECTED]  \_/

-- Mark Diggory Software Developer Harvard MIT Data Center http://www.hmdc.harvard.edu

Reply via email to