> I'll be the Ant rep.

Great, thanks.

> I am co-author of the (still stabilising) Ant <libraries> task; it'd

yeah, I've got to 50 mail threads sitting flagged in gmail to read one
day, as this is about the extent of what I know about it :) (after you
introduced it to repository@ last year)

> 1. security. this could be with MD5 checksums, or it could be with
> signed JARs. 

MD5's aren't going to do much for security - they're mainly for
download integrity. checking and publishing ASC files is a definite
want I have, and that can be ramped up to the level of security you
need (there are obviously varying levels of trust of the files and the
KEYS themselves).

> JAR signing needs retrofitting to existing files, but has
> the advantage that JVMs integrate with it and you can do other tricks
> (like put http://ibiblio.org.../artifact.jar on the classpath with
> security turned on)

That I haven't looked into, but would also be a good, but optional
feature. I think this is more of a build feature than a repository
feature? In fact, I'm sure we already do this for JNLP.

> 2. licenses. not just auto-download of .LICENSE files, but ideally
> some way to do click-through that even Sun are happy with. 

Yeah, there's a low hundreds JIRA entry for that (ie OLD :) I think
even that wouldn't fly with Sun IIRC but it doesn't hurt to ask.

Should be easy to add hooks and allow a user to say "never ask again
for this license" to always accept ASL or something, but still report
the license on download.

Good ideas and reminders - keep them coming, and I'll put all this
together on the wiki tomorrow-ish.


Reply via email to