On Wed, 5 Jan 2005 23:42:30 +1100, Brett Porter <[EMAIL PROTECTED]> wrote:
> > JAR signing needs retrofitting to existing files, but has
> > the advantage that JVMs integrate with it and you can do other tricks
> > (like put http://ibiblio.org.../artifact.jar on the classpath with
> > security turned on)
> 
> That I haven't looked into, but would also be a good, but optional
> feature. I think this is more of a build feature than a repository
> feature? In fact, I'm sure we already do this for JNLP.

yes, its a build feature. But if every jar was signed then you can
verify that it hasnt been tampered with, without having to verify MD5s
against those of a remote https site, etc etc. But it is
side-effecting on the jar.

> 
> > 2. licenses. not just auto-download of .LICENSE files, but ideally
> > some way to do click-through that even Sun are happy with.
> 
> Yeah, there's a low hundreds JIRA entry for that (ie OLD :) I think
> even that wouldn't fly with Sun IIRC but it doesn't hurt to ask.

I've been talking to Jesse Glick of the Netbeans team; they have some
public server with their own ant tasks to click-through licensing
every fetch -and provide a key for automated builds if you can justify
it.

What I'd like is

-license only appears if there is a change in the .LICENSE file
-in ant, the popup license would be managed so that IDEs, Cruise
control can do their own thing.
-you could register a set of licenses you always accept :
 "Apache,LGPL,Sun"
That'd need every license to be represented with a family and a
version, which means an XML file if I am not mistaken.

-steve

Reply via email to