Re: Maven uploads and hashes
On 31/05/2020 00:27, Michael Osipov wrote: > * Clone MRESOLVER, switch to MRESOLVER-56, install locally > * Clone MRESOLVER AT, update MRESOLVER to 1.4.3-SNAPSHOT, install locally > * Use the SNAPSHOT version of the Über JAR for your tests > > I have built Maven 3.7.0-SNAPSHOT and was able to upload checksums to > repository.apache.org. > > Michael > > PS: This is all WIP, comments welcome! Woot! Works a treat. Just uploading an Tomcat 10 snapshot and the additional hashes are present as expected. As soon as there is a release, we can update. Thanks, Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Maven uploads and hashes
I have just released Maven Resolver Ant Tasks 1.2.1. Should be soon on Central. SHA-2 is up next. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Maven uploads and hashes
Am 2020-05-29 um 20:55 schrieb Mark Thomas: On 29/05/2020 19:42, Michael Osipov wrote: Am 2020-05-29 um 16:48 schrieb Mark Thomas: On 29/05/2020 15:23, Michael Osipov wrote: Am 2020-05-29 um 14:05 schrieb Mark Thomas: Hi, Currently we use the (very old) Maven Ant Tasks to upload files to Nexus. This has a hard-coded feature that adds MD5 and SHA-1 hashes for every uploaded file. It also adds hashes for .asc files. I investigated manually adding .sha256 and .sha512 files. This works, bu the upload process still adds .md5 and .sha1 files for the .sha256 and .sha512 files. This is workable but not ideal. I am currently investigating the possibility of switching to the newer Maven Resolver Ant Tasks. This is a work in progress. It has a LOT more dependencies and the default behaviour is unchanged. I am currently looking at the source to see if the behaviour could be configured. In amongst all of this I had a thought. What if we just made a binary patch to the Maven Ant Tasks to switch it from creating MD5 and SHA-1 hashes to creating SHA-256 and SHA-512 hashes? At first glance this looks to be a small tweak to a single class that should be doable with BCEL (a bit like a very targetted Jakarta Migration Tool). Is this a terrible idea? I wanted to get some feedback on this while I continued to look at the Maven Resolver Ant Tasks. I need to add a few lines here since I maintain Maven Resolver these days. So no need to patch anything, we can work upstream. We have/had these requests recently for SHA-2 family of hashes. What hold me off is that Nexus before 2.14.18 did reject SHA-2 hashes for Central. Moreover, you cannot omit MD5 and SHA-1 for Central because they are mandatory, you won't pass evaluation on repository.a.o. Regarding the JARs, I do use Maven Resolver Ant Tasks too at work to customize Tomcat distributin for several OSes and there is a single JAR you can use: https://repo1.maven.org/maven2/org/apache/maven/resolver/maven-resolver-ant-tasks/1.2.0/maven-resolver-ant-tasks-1.2.0-uber.jar Ah. I didn't see the uber JAR. That helps a lot. I would not recommend committing it due to the size, but simply require it to be in ~/.ant or in ANT_HOME. Agreed. JARs don't belong in source repos. We can download it on demand. When Aether has been adopted from Eclipse, license has also changed from EPL to AL. I see no issues here. Great. WDYT? Cool. I think we have a possible solution here. 1. Switch to using the maven-resolver-ant-tasks with the uber JAR. This gives us the immediate benefit that we won't be generating .asc.md5 and .asc.sha1 files. I pretty much have this ready to go. I just need to tweak it to use the uber JAR. 2. Update to a newer version of maven-resolver-ant-tasks when a version that adds .sha256 and .sha512 is available. I'd be fine if it added .md5, .sha1, .sha256 and .sha512 Correct. I have recently updated Resolver. Ant Tasks need some love to perform again. This is the next point on my list. As soon as a new Ant Tasks release is out, I will head over to Resolver master and provide you a branch with a tentative fix for the SHA-2 issue. Acceptable? Perfect. Sounds great. I'm just about to update master to Maven Resolver Ant Tasks in preparation. I'll back-port as well. * Clone MRESOLVER, switch to MRESOLVER-56, install locally * Clone MRESOLVER AT, update MRESOLVER to 1.4.3-SNAPSHOT, install locally * Use the SNAPSHOT version of the Über JAR for your tests I have built Maven 3.7.0-SNAPSHOT and was able to upload checksums to repository.apache.org. Michael PS: This is all WIP, comments welcome! - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Maven uploads and hashes
On Fri, May 29, 2020 at 8:55 PM Mark Thomas wrote: > On 29/05/2020 19:42, Michael Osipov wrote: > > Am 2020-05-29 um 16:48 schrieb Mark Thomas: > >> On 29/05/2020 15:23, Michael Osipov wrote: > >>> Am 2020-05-29 um 14:05 schrieb Mark Thomas: > Hi, > > Currently we use the (very old) Maven Ant Tasks to upload files to > Nexus. This has a hard-coded feature that adds MD5 and SHA-1 hashes > for > every uploaded file. It also adds hashes for .asc files. > > I investigated manually adding .sha256 and .sha512 files. This > works, bu > the upload process still adds .md5 and .sha1 files for the .sha256 and > .sha512 files. This is workable but not ideal. > > I am currently investigating the possibility of switching to the newer > Maven Resolver Ant Tasks. This is a work in progress. It has a LOT > more > dependencies and the default behaviour is unchanged. I am currently > looking at the source to see if the behaviour could be configured. > > In amongst all of this I had a thought. What if we just made a binary > patch to the Maven Ant Tasks to switch it from creating MD5 and SHA-1 > hashes to creating SHA-256 and SHA-512 hashes? At first glance this > looks to be a small tweak to a single class that should be doable with > BCEL (a bit like a very targetted Jakarta Migration Tool). Is this a > terrible idea? I wanted to get some feedback on this while I continued > to look at the Maven Resolver Ant Tasks. > >>> > >>> I need to add a few lines here since I maintain Maven Resolver these > >>> days. So no need to patch anything, we can work upstream. > >>> We have/had these requests recently for SHA-2 family of hashes. What > >>> hold me off is that Nexus before 2.14.18 did reject SHA-2 hashes for > >>> Central. Moreover, you cannot omit MD5 and SHA-1 for Central because > >>> they are mandatory, you won't pass evaluation on repository.a.o. > >>> Regarding the JARs, I do use Maven Resolver Ant Tasks too at work to > >>> customize Tomcat distributin for several OSes and there is a single JAR > >>> you can use: > >>> > https://repo1.maven.org/maven2/org/apache/maven/resolver/maven-resolver-ant-tasks/1.2.0/maven-resolver-ant-tasks-1.2.0-uber.jar > >>> > >> > >> Ah. I didn't see the uber JAR. That helps a lot. > >> > >>> I would not recommend committing it due to the size, but simply require > >>> it to be in ~/.ant or in ANT_HOME. > >> > >> Agreed. JARs don't belong in source repos. We can download it on demand. > >> > >>> When Aether has been adopted from Eclipse, license has also changed > from > >>> EPL to AL. I see no issues here. > >> > >> Great. > >> > >>> WDYT? > >> > >> Cool. I think we have a possible solution here. > >> > >> 1. Switch to using the maven-resolver-ant-tasks with the uber JAR. > >> > >> This gives us the immediate benefit that we won't be generating .asc.md5 > >> and .asc.sha1 files. I pretty much have this ready to go. I just need to > >> tweak it to use the uber JAR. > >> > >> 2. Update to a newer version of maven-resolver-ant-tasks when a version > >> that adds .sha256 and .sha512 is available. I'd be fine if it added > >> .md5, .sha1, .sha256 and .sha512 > > > > Correct. I have recently updated Resolver. Ant Tasks need some love to > > perform again. This is the next point on my list. As soon as a new Ant > > Tasks release is out, I will head over to Resolver master and provide > > you a branch with a tentative fix for the SHA-2 issue. > > > > Acceptable? > > Perfect. Sounds great. I'm just about to update master to Maven Resolver > Ant Tasks in preparation. I'll back-port as well. > Worth trying at least ;) Rémy
Re: Maven uploads and hashes
On 29/05/2020 19:42, Michael Osipov wrote: > Am 2020-05-29 um 16:48 schrieb Mark Thomas: >> On 29/05/2020 15:23, Michael Osipov wrote: >>> Am 2020-05-29 um 14:05 schrieb Mark Thomas: Hi, Currently we use the (very old) Maven Ant Tasks to upload files to Nexus. This has a hard-coded feature that adds MD5 and SHA-1 hashes for every uploaded file. It also adds hashes for .asc files. I investigated manually adding .sha256 and .sha512 files. This works, bu the upload process still adds .md5 and .sha1 files for the .sha256 and .sha512 files. This is workable but not ideal. I am currently investigating the possibility of switching to the newer Maven Resolver Ant Tasks. This is a work in progress. It has a LOT more dependencies and the default behaviour is unchanged. I am currently looking at the source to see if the behaviour could be configured. In amongst all of this I had a thought. What if we just made a binary patch to the Maven Ant Tasks to switch it from creating MD5 and SHA-1 hashes to creating SHA-256 and SHA-512 hashes? At first glance this looks to be a small tweak to a single class that should be doable with BCEL (a bit like a very targetted Jakarta Migration Tool). Is this a terrible idea? I wanted to get some feedback on this while I continued to look at the Maven Resolver Ant Tasks. >>> >>> I need to add a few lines here since I maintain Maven Resolver these >>> days. So no need to patch anything, we can work upstream. >>> We have/had these requests recently for SHA-2 family of hashes. What >>> hold me off is that Nexus before 2.14.18 did reject SHA-2 hashes for >>> Central. Moreover, you cannot omit MD5 and SHA-1 for Central because >>> they are mandatory, you won't pass evaluation on repository.a.o. >>> Regarding the JARs, I do use Maven Resolver Ant Tasks too at work to >>> customize Tomcat distributin for several OSes and there is a single JAR >>> you can use: >>> https://repo1.maven.org/maven2/org/apache/maven/resolver/maven-resolver-ant-tasks/1.2.0/maven-resolver-ant-tasks-1.2.0-uber.jar >>> >> >> Ah. I didn't see the uber JAR. That helps a lot. >> >>> I would not recommend committing it due to the size, but simply require >>> it to be in ~/.ant or in ANT_HOME. >> >> Agreed. JARs don't belong in source repos. We can download it on demand. >> >>> When Aether has been adopted from Eclipse, license has also changed from >>> EPL to AL. I see no issues here. >> >> Great. >> >>> WDYT? >> >> Cool. I think we have a possible solution here. >> >> 1. Switch to using the maven-resolver-ant-tasks with the uber JAR. >> >> This gives us the immediate benefit that we won't be generating .asc.md5 >> and .asc.sha1 files. I pretty much have this ready to go. I just need to >> tweak it to use the uber JAR. >> >> 2. Update to a newer version of maven-resolver-ant-tasks when a version >> that adds .sha256 and .sha512 is available. I'd be fine if it added >> .md5, .sha1, .sha256 and .sha512 > > Correct. I have recently updated Resolver. Ant Tasks need some love to > perform again. This is the next point on my list. As soon as a new Ant > Tasks release is out, I will head over to Resolver master and provide > you a branch with a tentative fix for the SHA-2 issue. > > Acceptable? Perfect. Sounds great. I'm just about to update master to Maven Resolver Ant Tasks in preparation. I'll back-port as well. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Maven uploads and hashes
Am 2020-05-29 um 16:48 schrieb Mark Thomas: On 29/05/2020 15:23, Michael Osipov wrote: Am 2020-05-29 um 14:05 schrieb Mark Thomas: Hi, Currently we use the (very old) Maven Ant Tasks to upload files to Nexus. This has a hard-coded feature that adds MD5 and SHA-1 hashes for every uploaded file. It also adds hashes for .asc files. I investigated manually adding .sha256 and .sha512 files. This works, bu the upload process still adds .md5 and .sha1 files for the .sha256 and .sha512 files. This is workable but not ideal. I am currently investigating the possibility of switching to the newer Maven Resolver Ant Tasks. This is a work in progress. It has a LOT more dependencies and the default behaviour is unchanged. I am currently looking at the source to see if the behaviour could be configured. In amongst all of this I had a thought. What if we just made a binary patch to the Maven Ant Tasks to switch it from creating MD5 and SHA-1 hashes to creating SHA-256 and SHA-512 hashes? At first glance this looks to be a small tweak to a single class that should be doable with BCEL (a bit like a very targetted Jakarta Migration Tool). Is this a terrible idea? I wanted to get some feedback on this while I continued to look at the Maven Resolver Ant Tasks. I need to add a few lines here since I maintain Maven Resolver these days. So no need to patch anything, we can work upstream. We have/had these requests recently for SHA-2 family of hashes. What hold me off is that Nexus before 2.14.18 did reject SHA-2 hashes for Central. Moreover, you cannot omit MD5 and SHA-1 for Central because they are mandatory, you won't pass evaluation on repository.a.o. Regarding the JARs, I do use Maven Resolver Ant Tasks too at work to customize Tomcat distributin for several OSes and there is a single JAR you can use: https://repo1.maven.org/maven2/org/apache/maven/resolver/maven-resolver-ant-tasks/1.2.0/maven-resolver-ant-tasks-1.2.0-uber.jar Ah. I didn't see the uber JAR. That helps a lot. I would not recommend committing it due to the size, but simply require it to be in ~/.ant or in ANT_HOME. Agreed. JARs don't belong in source repos. We can download it on demand. When Aether has been adopted from Eclipse, license has also changed from EPL to AL. I see no issues here. Great. WDYT? Cool. I think we have a possible solution here. 1. Switch to using the maven-resolver-ant-tasks with the uber JAR. This gives us the immediate benefit that we won't be generating .asc.md5 and .asc.sha1 files. I pretty much have this ready to go. I just need to tweak it to use the uber JAR. 2. Update to a newer version of maven-resolver-ant-tasks when a version that adds .sha256 and .sha512 is available. I'd be fine if it added .md5, .sha1, .sha256 and .sha512 Correct. I have recently updated Resolver. Ant Tasks need some love to perform again. This is the next point on my list. As soon as a new Ant Tasks release is out, I will head over to Resolver master and provide you a branch with a tentative fix for the SHA-2 issue. Acceptable? - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Maven uploads and hashes
On 29/05/2020 15:23, Michael Osipov wrote: > Am 2020-05-29 um 14:05 schrieb Mark Thomas: >> Hi, >> >> Currently we use the (very old) Maven Ant Tasks to upload files to >> Nexus. This has a hard-coded feature that adds MD5 and SHA-1 hashes for >> every uploaded file. It also adds hashes for .asc files. >> >> I investigated manually adding .sha256 and .sha512 files. This works, bu >> the upload process still adds .md5 and .sha1 files for the .sha256 and >> .sha512 files. This is workable but not ideal. >> >> I am currently investigating the possibility of switching to the newer >> Maven Resolver Ant Tasks. This is a work in progress. It has a LOT more >> dependencies and the default behaviour is unchanged. I am currently >> looking at the source to see if the behaviour could be configured. >> >> In amongst all of this I had a thought. What if we just made a binary >> patch to the Maven Ant Tasks to switch it from creating MD5 and SHA-1 >> hashes to creating SHA-256 and SHA-512 hashes? At first glance this >> looks to be a small tweak to a single class that should be doable with >> BCEL (a bit like a very targetted Jakarta Migration Tool). Is this a >> terrible idea? I wanted to get some feedback on this while I continued >> to look at the Maven Resolver Ant Tasks. > > I need to add a few lines here since I maintain Maven Resolver these > days. So no need to patch anything, we can work upstream. > We have/had these requests recently for SHA-2 family of hashes. What > hold me off is that Nexus before 2.14.18 did reject SHA-2 hashes for > Central. Moreover, you cannot omit MD5 and SHA-1 for Central because > they are mandatory, you won't pass evaluation on repository.a.o. > Regarding the JARs, I do use Maven Resolver Ant Tasks too at work to > customize Tomcat distributin for several OSes and there is a single JAR > you can use: > https://repo1.maven.org/maven2/org/apache/maven/resolver/maven-resolver-ant-tasks/1.2.0/maven-resolver-ant-tasks-1.2.0-uber.jar Ah. I didn't see the uber JAR. That helps a lot. > I would not recommend committing it due to the size, but simply require > it to be in ~/.ant or in ANT_HOME. Agreed. JARs don't belong in source repos. We can download it on demand. > When Aether has been adopted from Eclipse, license has also changed from > EPL to AL. I see no issues here. Great. > WDYT? Cool. I think we have a possible solution here. 1. Switch to using the maven-resolver-ant-tasks with the uber JAR. This gives us the immediate benefit that we won't be generating .asc.md5 and .asc.sha1 files. I pretty much have this ready to go. I just need to tweak it to use the uber JAR. 2. Update to a newer version of maven-resolver-ant-tasks when a version that adds .sha256 and .sha512 is available. I'd be fine if it added .md5, .sha1, .sha256 and .sha512 Job done. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Maven uploads and hashes
Am 2020-05-29 um 14:05 schrieb Mark Thomas: Hi, Currently we use the (very old) Maven Ant Tasks to upload files to Nexus. This has a hard-coded feature that adds MD5 and SHA-1 hashes for every uploaded file. It also adds hashes for .asc files. I investigated manually adding .sha256 and .sha512 files. This works, bu the upload process still adds .md5 and .sha1 files for the .sha256 and .sha512 files. This is workable but not ideal. I am currently investigating the possibility of switching to the newer Maven Resolver Ant Tasks. This is a work in progress. It has a LOT more dependencies and the default behaviour is unchanged. I am currently looking at the source to see if the behaviour could be configured. In amongst all of this I had a thought. What if we just made a binary patch to the Maven Ant Tasks to switch it from creating MD5 and SHA-1 hashes to creating SHA-256 and SHA-512 hashes? At first glance this looks to be a small tweak to a single class that should be doable with BCEL (a bit like a very targetted Jakarta Migration Tool). Is this a terrible idea? I wanted to get some feedback on this while I continued to look at the Maven Resolver Ant Tasks. I need to add a few lines here since I maintain Maven Resolver these days. So no need to patch anything, we can work upstream. We have/had these requests recently for SHA-2 family of hashes. What hold me off is that Nexus before 2.14.18 did reject SHA-2 hashes for Central. Moreover, you cannot omit MD5 and SHA-1 for Central because they are mandatory, you won't pass evaluation on repository.a.o. Regarding the JARs, I do use Maven Resolver Ant Tasks too at work to customize Tomcat distributin for several OSes and there is a single JAR you can use: https://repo1.maven.org/maven2/org/apache/maven/resolver/maven-resolver-ant-tasks/1.2.0/maven-resolver-ant-tasks-1.2.0-uber.jar I would not recommend committing it due to the size, but simply require it to be in ~/.ant or in ANT_HOME. When Aether has been adopted from Eclipse, license has also changed from EPL to AL. I see no issues here. WDYT? - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Maven uploads and hashes
On 29/05/2020 13:05, Mark Thomas wrote: > Hi, > > Currently we use the (very old) Maven Ant Tasks to upload files to > Nexus. This has a hard-coded feature that adds MD5 and SHA-1 hashes for > every uploaded file. It also adds hashes for .asc files. > > I investigated manually adding .sha256 and .sha512 files. This works, bu > the upload process still adds .md5 and .sha1 files for the .sha256 and > .sha512 files. This is workable but not ideal. > > I am currently investigating the possibility of switching to the newer > Maven Resolver Ant Tasks. This is a work in progress. It has a LOT more > dependencies and the default behaviour is unchanged. I am currently > looking at the source to see if the behaviour could be configured. > > In amongst all of this I had a thought. What if we just made a binary > patch to the Maven Ant Tasks to switch it from creating MD5 and SHA-1 > hashes to creating SHA-256 and SHA-512 hashes? At first glance this > looks to be a small tweak to a single class that should be doable with > BCEL (a bit like a very targetted Jakarta Migration Tool). Is this a > terrible idea? I wanted to get some feedback on this while I continued > to look at the Maven Resolver Ant Tasks. A little more information with a summary. Maven Ant Tasks - single JAR - creates hashes for .asc, sha256 and sha512 files if added manually - hard coded to MD5 and SHA-1 - relevant code is ALv2 licensed (and ASF owned) so modification is trivial Maven Resolver Ant Tasks - multiple (10s?) JARs - doesn't create hashes for .asc files (by default) - creates hashes for sha256 and sha512 files if added manually - hard coded to MD5 and SHA-1 - relevant code (Eclipse Aether) is EPL 1.0 licensed which makes it category B and therefore trickier for us to modify Both approaches are either deprecated /retired or depend on deprecated / retired components. I'm continuing to look for other options. Next up the Nexus Staging Ant Tasks. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Maven uploads and hashes
Hi, Currently we use the (very old) Maven Ant Tasks to upload files to Nexus. This has a hard-coded feature that adds MD5 and SHA-1 hashes for every uploaded file. It also adds hashes for .asc files. I investigated manually adding .sha256 and .sha512 files. This works, bu the upload process still adds .md5 and .sha1 files for the .sha256 and .sha512 files. This is workable but not ideal. I am currently investigating the possibility of switching to the newer Maven Resolver Ant Tasks. This is a work in progress. It has a LOT more dependencies and the default behaviour is unchanged. I am currently looking at the source to see if the behaviour could be configured. In amongst all of this I had a thought. What if we just made a binary patch to the Maven Ant Tasks to switch it from creating MD5 and SHA-1 hashes to creating SHA-256 and SHA-512 hashes? At first glance this looks to be a small tweak to a single class that should be doable with BCEL (a bit like a very targetted Jakarta Migration Tool). Is this a terrible idea? I wanted to get some feedback on this while I continued to look at the Maven Resolver Ant Tasks. Thoughts? Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org