Hello,
I'm Steve Loughran of the Ant project; Nicolaken said I should get on
this mail list
1. I have just added to Ant CVS_HEAD a task to get libraries from a
repository; built in support is for maven layouts, though others are
possible.
2. I worry about the security aspects. I dont thi
On Wed, 05 Jan 2005 09:39:28 +0100, Nicola Ken Barozzi
<[EMAIL PROTECTED]> wrote:
> 2) Henk, myself (Maven PMC), Mark Diggory (if available), representative
> from interested Apache projects PMC (most likely someone from Ant) get
> together to sort out exactly what we think needs doing (we can use
On Wed, 5 Jan 2005 23:42:30 +1100, Brett Porter <[EMAIL PROTECTED]> wrote:
> > JAR signing needs retrofitting to existing files, but has
> > the advantage that JVMs integrate with it and you can do other tricks
> > (like put http://ibiblio.org.../artifact.jar on the classpath with
> > security turn
On Thu, 6 Jan 2005 06:43:34 +1100, Brett Porter <[EMAIL PROTECTED]> wrote:
> On Wed, 5 Jan 2005 14:24:13 -0500, Noel J. Bergman <[EMAIL PROTECTED]> wrote:
> > Is Maven willing to provide suitable support for Ant to use it? I just want
> > to make sure that this is not the Maven repository, but is
On Wed, 5 Jan 2005 17:21:03 +0800, Niclas Hedhman <[EMAIL PROTECTED]> wrote:
> On Wednesday 05 January 2005 16:39, Nicola Ken Barozzi wrote:
> > The Depot project SVN
> > is still there, ready to be used if/when needed by the Maven project.
>
> From the Magic project we have spun off what we call
Hi,
I've been reading the security proposal for the maven2 repository @
http://docs.codehaus.org/display/MAVEN/Maven2+repository
One thing I'd like to see is *every* JAR signed w/ certs under a
single CA, say the Maven one. That way, if I go against a public
maven2 repository for JAR download, I
On Thu, 13 Jan 2005 09:26:45 +1100, Brett Porter <[EMAIL PROTECTED]> wrote:
> Hi Steve,
>
> I'd like to do whatever we can to get better security on this stuff. I
> just need to get my head around what JAR signing provides in
> comparison to key signing, and what impact it might have on existing
>
On Thu, 13 Jan 2005 10:29:51 +, Steve Loughran
<[EMAIL PROTECTED]> wrote:
> On Thu, 13 Jan 2005 09:26:45 +1100, Brett Porter <[EMAIL PROTECTED]> wrote:
> > Hi Steve,
> >
> > I'd like to do whatever we can to get better security on this stuff. I
> &
On Thu, 13 Jan 2005 10:51:30 -0500, Tim O'Brien <[EMAIL PROTECTED]> wrote:
> Steve,
>
> Would we be talking about "gpg --armor --output
> commons-foo-1.2.jar.md5.asc --detach-sig commons-foo-1.2.jar". Or, is
> there some other mechanism we would need to go through?
It would be essential for java
On Fri, 4 Feb 2005 14:42:54 -0500, Henri Yandell <[EMAIL PROTECTED]> wrote:
> On Wed, 12 Jan 2005 21:01:41 +0000, Steve Loughran
> <[EMAIL PROTECTED]> wrote:
>
> > We do need to make it easy to sign stuff.
>
> I'm new to the list, so I could be missing a
I'm adding JAR signature verification to the ant repository task. this
is not how we can do security on the main repository, but something
third parties may want. And it starts me off on learning about the
relevant APIs.
Its been mentioned that Apache has a certficiate now. Can somebody
post the p
I have been talking with the bouncy castle people; they make some good
suggestions. One problem with even including the public cert of Apache
in the ant and maven distros, is that you have to make sure that that
distro isnt subverted first.
I have also been having longer discussions with a colleag
On Tue, 15 Mar 2005 09:51:54 -0500, Mark Diggory <[EMAIL PROTECTED]> wrote:
> Russell Gold wrote:
>
> >On Thu, 10 Mar 2005 20:11:20 +0000, Steve Loughran
> ><[EMAIL PROTECTED]> wrote:
> >
> >
> >>The disadvantages
> >> -no obvious
I've been doing some JAR signing work in ant; a task to go
alongside . I had intended it to be a precursor to library
verification in Ant after download.
The summary is: 'signjar -verify' is a worthless bit of code; it
doesnt change its exit code when a JAR is unsigned, it doesnt even
change its
We are now looking at a timescale of lateish summer for Ant1.7, and
the task will ship, with a fair amount of todo items
associated with it : http://wiki.apache.org/ant/Ant17_2fPlanning
policy to verify that jars are signed (for private repostories)
verify .md5 files
to use whatever our ap
On Apr 9, 2005 2:25 AM, Brett Porter <[EMAIL PROTECTED]> wrote:
> > 1. I see that a Maven2 alpha is out: is it still using the Maven1
> > repository structure?
>
> News travels fast... I was going to post about that here this morning :)
planetapache.org knows everything :)
>
> New repository: h
On Apr 9, 2005 2:25 AM, Brett Porter <[EMAIL PROTECTED]> wrote:
http://cvs.apache.org/viewcvs.cgi/maven-components/maven-artifact/src/main/java/org/apache/maven/artifact/repository/layout/DefaultRepositoryLayout.java?rev=1.8&view=markup
>
path.append( artifact.getBaseVersion() ).append(
On Apr 10, 2005 2:06 AM, Brett Porter <[EMAIL PROTECTED]> wrote:
> > planetapache.org knows everything :)
>
> Yes, I just caught your post :)
>
> > This is cool.
> > -what is the local cache name/layout?
>
> Configurable, defaults to ~/.m2/repository and uses the "default"
> layout, which is the
On Apr 11, 2005 12:51 PM, Brett Porter <[EMAIL PROTECTED]> wrote:
> (I'm assuming you meant to reply to all by the content - it happens
> frequently with other gmail users - sorry if I'm out of place
> repeating your message)
no, that's gmail for you.
>
> At the very least we should continue to
On Apr 11, 2005 2:02 PM, Brett Porter <[EMAIL PROTECTED]> wrote:
> > the smartfrog solution is brute force unforgiving: you must declare
> > the SHA1 or MD5 value in a download
>
> Right... I'm sure users wanting security will put up with a certain
> level of pain. I'm still not sure how you secur
On Apr 11, 2005 2:02 AM, Brett Porter <[EMAIL PROTECTED]> wrote:
> > one problem I have for both systems is proxies; at work I cant go to
> > remote http servers without proxy setup. What does maven do?
>
> wagon has a proxy configuration that it passes on to the JDK stuff as
> system properties,
On Apr 11, 2005 4:39 PM, Brett Porter <[EMAIL PROTECTED]> wrote:
> If you needed that, couldn't the default system properties for proxies be
> used?
>
1. On windows, this is hidden in a bit of the registry the API keeps
from from you, plus the java.util.prefs stuff escapes stuff *wierdly*,
as i
On Apr 11, 2005 5:27 PM, Brett Porter <[EMAIL PROTECTED]> wrote:
> Sorry, I meant: http.proxyHost, http.proxyPort and counterparts as
> standard names.
>
> - Brett
well, you could do, but you need to work out
1. how to set up the options for every app you start on the command line
2. how to set
I am pleased to announce that one of the SmartFrog system tests (the
ones gump doesnt run for security reasons) has just successfully
retrieved its first JAR from the maven2 repository
Download extends Compound {
sfSyncTerminate true;
library extends Maven1Library {
}
/**
On 4/15/05, Brett Porter <[EMAIL PROTECTED]> wrote:
> > -something with a different .md5 checksum than its real checksum.
>
> The repository is scanned every 4 hours and repairs missing/broken
> md5s (bearing in mind that we don't consider them as a security
> option, but a download integrity che
On 4/15/05, Henk P. Penning <[EMAIL PROTECTED]> wrote:
> On Fri, 15 Apr 2005, Steve Loughran wrote:
>
> > Date: Fri, 15 Apr 2005 13:30:56 +0100
> > From: Steve Loughran <[EMAIL PROTECTED]>
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: Maven2 support
> >
> On 4/15/05, Brett Porter <[EMAIL PROTECTED]> wrote:
>> On 4/15/05, Steve Loughran <[EMAIL PROTECTED]> wrote:
> > > Also, and this is just for generic cool demo effects, who can point me
> > > to a good (AWT/swing) app that the repository has?
> > &
Hello all,
1. I see that a Maven2 alpha is out: is it still using the Maven1
repository structure?
2. I have been busy coding the SmartFrog support for Libraries
(http://smartfrog.org). so that you can declare what your classpath is
for running things at deploy time
commons-logging extends M
On 5/3/05, Jeffrey Liu <[EMAIL PROTECTED]> wrote:
> This is not easy. If there's an Eclipse update manager site for Apache
> software, then when the user finds out s/he needs Tomcat and Axis, all s/he
> needs to do now is launch the Eclipse update manager (URL to the Apache
> update site will be p
On 5/3/05, Jeffrey Liu <[EMAIL PROTECTED]> wrote:
>
> Hi Steve,
>
> Configure in this case means the user goes to the Eclipse perference page,
> choose the version of Tomcat that was downloaded, and point Eclipse to the
> location where it was unzipped. Nothing major, but not obvious to novice
On 5/4/05, Niclas Hedhman <[EMAIL PROTECTED]> wrote:
> On Wednesday 04 May 2005 19:34, Steve Loughran wrote:
>
> > maven repositories are fun because every JAR is on a URL; you can pass
> > them to a URL classloader as is if you want. The .pom also declares
> > depen
On 5/4/05, Niclas Hedhman <[EMAIL PROTECTED]> wrote:
> On Wednesday 04 May 2005 19:54, Milos Kleint wrote:
> > > Milos, didn't Netbeans itself devise some funky system for the
> > > non-distributables and click-thru license approvals??
> >
> > AFAIK such dependencies are scrambled and during the bu
32 matches
Mail list logo