Ant and repositories

Hello, I'm Steve Loughran of the Ant project; Nicolaken said I should get on this mail list 1. I have just added to Ant CVS_HEAD a task to get libraries from a repository; built in support is for maven layouts, though others are possible. 2. I worry about the security aspects. I dont thi

Re: Maven and repository@apache.org

On Wed, 05 Jan 2005 09:39:28 +0100, Nicola Ken Barozzi <[EMAIL PROTECTED]> wrote: > 2) Henk, myself (Maven PMC), Mark Diggory (if available), representative > from interested Apache projects PMC (most likely someone from Ant) get > together to sort out exactly what we think needs doing (we can use

Re: Maven and repository@apache.org

On Wed, 5 Jan 2005 23:42:30 +1100, Brett Porter <[EMAIL PROTECTED]> wrote: > > JAR signing needs retrofitting to existing files, but has > > the advantage that JVMs integrate with it and you can do other tricks > > (like put http://ibiblio.org.../artifact.jar on the classpath with > > security turn

Re: Maven and repository@apache.org

On Thu, 6 Jan 2005 06:43:34 +1100, Brett Porter <[EMAIL PROTECTED]> wrote: > On Wed, 5 Jan 2005 14:24:13 -0500, Noel J. Bergman <[EMAIL PROTECTED]> wrote: > > Is Maven willing to provide suitable support for Ant to use it? I just want > > to make sure that this is not the Maven repository, but is

Re: Maven and repository@apache.org

On Wed, 5 Jan 2005 17:21:03 +0800, Niclas Hedhman <[EMAIL PROTECTED]> wrote: > On Wednesday 05 January 2005 16:39, Nicola Ken Barozzi wrote: > > The Depot project SVN > > is still there, ready to be used if/when needed by the Maven project. > > From the Magic project we have spun off what we call

repo security

Hi, I've been reading the security proposal for the maven2 repository @ http://docs.codehaus.org/display/MAVEN/Maven2+repository One thing I'd like to see is *every* JAR signed w/ certs under a single CA, say the Maven one. That way, if I go against a public maven2 repository for JAR download, I

Re: repo security

On Thu, 13 Jan 2005 09:26:45 +1100, Brett Porter <[EMAIL PROTECTED]> wrote: > Hi Steve, > > I'd like to do whatever we can to get better security on this stuff. I > just need to get my head around what JAR signing provides in > comparison to key signing, and what impact it might have on existing >

Re: repo security

On Thu, 13 Jan 2005 10:29:51 +, Steve Loughran <[EMAIL PROTECTED]> wrote: > On Thu, 13 Jan 2005 09:26:45 +1100, Brett Porter <[EMAIL PROTECTED]> wrote: > > Hi Steve, > > > > I'd like to do whatever we can to get better security on this stuff. I > &

Re: repo security

On Thu, 13 Jan 2005 10:51:30 -0500, Tim O'Brien <[EMAIL PROTECTED]> wrote: > Steve, > > Would we be talking about "gpg --armor --output > commons-foo-1.2.jar.md5.asc --detach-sig commons-foo-1.2.jar". Or, is > there some other mechanism we would need to go through? It would be essential for java

Re: repo security

On Fri, 4 Feb 2005 14:42:54 -0500, Henri Yandell <[EMAIL PROTECTED]> wrote: > On Wed, 12 Jan 2005 21:01:41 +0000, Steve Loughran > <[EMAIL PROTECTED]> wrote: > > > We do need to make it easy to sign stuff. > > I'm new to the list, so I could be missing a

Apache JAR signing

I'm adding JAR signature verification to the ant repository task. this is not how we can do security on the main repository, but something third parties may want. And it starts me off on learning about the relevant APIs. Its been mentioned that Apache has a certficiate now. Can somebody post the p

security, hashing.

I have been talking with the bouncy castle people; they make some good suggestions. One problem with even including the public cert of Apache in the ant and maven distros, is that you have to make sure that that distro isnt subverted first. I have also been having longer discussions with a colleag

Re: security, hashing.

On Tue, 15 Mar 2005 09:51:54 -0500, Mark Diggory <[EMAIL PROTECTED]> wrote: > Russell Gold wrote: > > >On Thu, 10 Mar 2005 20:11:20 +0000, Steve Loughran > ><[EMAIL PROTECTED]> wrote: > > > > > >>The disadvantages > >> -no obvious 

JAR signing : not an option

I've been doing some JAR signing work in ant; a task to go alongside . I had intended it to be a precursor to library verification in Ant after download. The summary is: 'signjar -verify' is a worthless bit of code; it doesnt change its exit code when a JAR is unsigned, it doesnt even change its

Ant1.7 repository work

We are now looking at a timescale of lateish summer for Ant1.7, and the task will ship, with a fair amount of todo items associated with it : http://wiki.apache.org/ant/Ant17_2fPlanning policy to verify that jars are signed (for private repostories) verify .md5 files to use whatever our ap

Re: long project names & repositories

On Apr 9, 2005 2:25 AM, Brett Porter <[EMAIL PROTECTED]> wrote: > > 1. I see that a Maven2 alpha is out: is it still using the Maven1 > > repository structure? > > News travels fast... I was going to post about that here this morning :) planetapache.org knows everything :) > > New repository: h

Re: long project names & repositories

On Apr 9, 2005 2:25 AM, Brett Porter <[EMAIL PROTECTED]> wrote: http://cvs.apache.org/viewcvs.cgi/maven-components/maven-artifact/src/main/java/org/apache/maven/artifact/repository/layout/DefaultRepositoryLayout.java?rev=1.8&view=markup > path.append( artifact.getBaseVersion() ).append(

Re: long project names & repositories

On Apr 10, 2005 2:06 AM, Brett Porter <[EMAIL PROTECTED]> wrote: > > planetapache.org knows everything :) > > Yes, I just caught your post :) > > > This is cool. > > -what is the local cache name/layout? > > Configurable, defaults to ~/.m2/repository and uses the "default" > layout, which is the

Re: long project names & repositories

On Apr 11, 2005 12:51 PM, Brett Porter <[EMAIL PROTECTED]> wrote: > (I'm assuming you meant to reply to all by the content - it happens > frequently with other gmail users - sorry if I'm out of place > repeating your message) no, that's gmail for you. > > At the very least we should continue to

Re: long project names & repositories

On Apr 11, 2005 2:02 PM, Brett Porter <[EMAIL PROTECTED]> wrote: > > the smartfrog solution is brute force unforgiving: you must declare > > the SHA1 or MD5 value in a download > > Right... I'm sure users wanting security will put up with a certain > level of pain. I'm still not sure how you secur

Re: long project names & repositories

On Apr 11, 2005 2:02 AM, Brett Porter <[EMAIL PROTECTED]> wrote: > > one problem I have for both systems is proxies; at work I cant go to > > remote http servers without proxy setup. What does maven do? > > wagon has a proxy configuration that it passes on to the JDK stuff as > system properties,

Re: long project names & repositories

On Apr 11, 2005 4:39 PM, Brett Porter <[EMAIL PROTECTED]> wrote: > If you needed that, couldn't the default system properties for proxies be > used? > 1. On windows, this is hidden in a bit of the registry the API keeps from from you, plus the java.util.prefs stuff escapes stuff *wierdly*, as i

Re: long project names & repositories

On Apr 11, 2005 5:27 PM, Brett Porter <[EMAIL PROTECTED]> wrote: > Sorry, I meant: http.proxyHost, http.proxyPort and counterparts as > standard names. > > - Brett well, you could do, but you need to work out 1. how to set up the options for every app you start on the command line 2. how to set

Maven2 support

I am pleased to announce that one of the SmartFrog system tests (the ones gump doesnt run for security reasons) has just successfully retrieved its first JAR from the maven2 repository Download extends Compound { sfSyncTerminate true; library extends Maven1Library { } /**

Re: Maven2 support

On 4/15/05, Brett Porter <[EMAIL PROTECTED]> wrote: > > -something with a different .md5 checksum than its real checksum. > > The repository is scanned every 4 hours and repairs missing/broken > md5s (bearing in mind that we don't consider them as a security > option, but a download integrity che

Re: Maven2 support

On 4/15/05, Henk P. Penning <[EMAIL PROTECTED]> wrote: > On Fri, 15 Apr 2005, Steve Loughran wrote: > > > Date: Fri, 15 Apr 2005 13:30:56 +0100 > > From: Steve Loughran <[EMAIL PROTECTED]> > > Cc: [EMAIL PROTECTED] > > Subject: Re: Maven2 support > >

GUI app on maven2 repository

> On 4/15/05, Brett Porter <[EMAIL PROTECTED]> wrote: >> On 4/15/05, Steve Loughran <[EMAIL PROTECTED]> wrote: > > > Also, and this is just for generic cool demo effects, who can point me > > > to a good (AWT/swing) app that the repository has? > > &

long project names & repositories

Hello all, 1. I see that a Maven2 alpha is out: is it still using the Maven1 repository structure? 2. I have been busy coding the SmartFrog support for Libraries (http://smartfrog.org). so that you can declare what your classpath is for running things at deploy time commons-logging extends M

Re: Proposal for a centralized Eclipse update manager site for Apache projects/software

On 5/3/05, Jeffrey Liu <[EMAIL PROTECTED]> wrote: > This is not easy. If there's an Eclipse update manager site for Apache > software, then when the user finds out s/he needs Tomcat and Axis, all s/he > needs to do now is launch the Eclipse update manager (URL to the Apache > update site will be p

Re: Proposal for a centralized Eclipse update manager site for Apache projects/software

On 5/3/05, Jeffrey Liu <[EMAIL PROTECTED]> wrote: > > Hi Steve, > > Configure in this case means the user goes to the Eclipse perference page, > choose the version of Tomcat that was downloaded, and point Eclipse to the > location where it was unzipped. Nothing major, but not obvious to novice

Re: Proposal for a centralized Eclipse update manager site for Apache projects/software

On 5/4/05, Niclas Hedhman <[EMAIL PROTECTED]> wrote: > On Wednesday 04 May 2005 19:34, Steve Loughran wrote: > > > maven repositories are fun because every JAR is on a URL; you can pass > > them to a URL classloader as is if you want. The .pom also declares > > depen

Re: Proposal for a centralized Eclipse update manager site for Apache projects/software

On 5/4/05, Niclas Hedhman <[EMAIL PROTECTED]> wrote: > On Wednesday 04 May 2005 19:54, Milos Kleint wrote: > > > Milos, didn't Netbeans itself devise some funky system for the > > > non-distributables and click-thru license approvals?? > > > > AFAIK such dependencies are scrambled and during the bu