Steve Loughran wrote:
I'm Steve Loughran of the Ant project; Nicolaken said I should get on this mail list
1. I have just added to Ant CVS_HEAD a task to get libraries from a repository; built in support is for maven layouts, though others are possible.
This is a great idea.
2. I worry about the security aspects. I dont think it is enough to verify the MD5 signatures, because they are served up on the same (http) server. What should I be doing for verifying remote downloads are the intended ones, or what changes are planned in the near future that our task should ready itself for? Note that the task is focused on JAR/WAR/Ear archives only, so we can do full jar signature checking if that is felt the best solution. And we can ship with the public key of an Apache/Maven/Gump CA to verify signatures. Indeed, the fact that nothing has shipped at all yet (and wont till 1.7 alpha) means that we have time to get things right here
This subject is going to be dependent on the overall capabilities of Maven itself. I think, as Maven moves forward your going to see more requirements for signatures. I think that in your case, all the Ant task would probably maintain is some "warning" or interactive y/n/a/na concerning the signature being missing or bad. This is because no matter what policies we put in place for the ASF Repository, they are but a subset of possible outcomes in Maven.
Ultimately, users of the task should be using http://www.ibiblio.org/maven an Apache mirror or another local Maven repository as the target for downloading dependencies and not ever the /dist/java-repository on minotaur directly.
In theory. All pgp signatures on files in the repository should have public keys stored somewhere under "KEYS" like other contents of /dist/ but I don't currently think this a well maintained or organized practice in the ASF Repository. It should be better maintained and we've had discussions about improving it.
-- Mark Diggory Open Source Software Developer Apache Jakarta Project http://jakarta.apache.org