Hello all,

1. I see that a Maven2 alpha is out: is it still using the Maven1
repository structure?

2. I have been busy coding the SmartFrog support for Libraries
(http://smartfrog.org). so that you can declare what your classpath is
for running things at deploy time

    commons-logging extends MavenArtifact {
        project "commons-logging";
        version "1.0.4";
        sha1="f4ddb24e07c";
    }

I'm going to allow for both SHA1 and MD5 checking, the idea being that
you declare them in the deployment descriptor which needs to be in a
signed JAR before being trusted. So we dont need to worry about
security of HTTP repositories, or the .md5 files in the repository -we
only need to carey about security of deployment descriptors and the
private keys used to sign them for any particular infrastructure.

I'm also going to be paranoid and recheck the signatures even against
files that are cached.

3. One question I have is about our policy for longer project names,
"org.apache.something". I have stub code that replaces that with
org/apache/something and then looks for the usual
org/apache/something/jars/artifact[-version][.extension]  afterwards.
Is this wise or not?

-steve

Reply via email to