Jason van Zyl <[EMAIL PROTECTED]> wrote on 07/22/2002 03:13:53 AM: > On Sun, 2002-07-21 at 12:35, [EMAIL PROTECTED] wrote: > > I've found several times lately that the local repo gets bad jar files in > > it, see attached for an example. > > > > > > > > We need someway other than timestamp of verifying a jar is ok, or better > > still not creating it if the download is not complete. > > I'll some checksums to the mix. I don't think I've ever had a bad JAR. > But general overall verification of the repository will certainly be > necessary before widespread use.
It's not the remote repos that are the problem, it's the local copies. I use a laptop and switch networks all the time, so it's not surprising to me that I end up running without the proper proxy setttings configured. But even so the jars should either be valid or not copied locally. > > > This makes maven a fragile tool in the end, as we're only as good as the > > downloads, and downloading is notoriously crappy. > > I generally haven't found it to be notoriously crappy. But with some > checksums and the use of the ibiblio mirror I think we'll be just fine. Excellent. > > Does this happen to anyone else (need to delete bad jars in local repo?)? > > Not yet. > > > And if so, what's the best way that we can fix it? From memory, the ant > > get task is broken in that it writes bad files. > > There was a patch to fix the zero length jars being written, which I > believe was for windows machines. Well that rules me out. I'm running Linux most times. > > I've also seen files with > > 'Socket connect reset' in them where the proxy returns that and the get > > task writes it out blindly. > > Haven't seen that one myself > > > There must be a better way.... > > I don't think it will be at all hard to fix. Nope, it's not hard....just necessary. I hate having to tell people to clean out lib.repo as part of bootstrap. It shouldn't be necessary, but due to the lack of checking it sometimes is. What about signed jars and security as well. Will people automatically 'trust' jar files in the repo, or should there be a security manager in place? -- dIon Gillard, Multitask Consulting Work: http://www.multitask.com.au Developers: http://adslgateway.multitask.com.au/developers
