If your concern is that you don't want to have m2 work the "standard way", and by that I mean connected to the net to download whatever dependency you need on demand, then I think the answer to that is yes.
One thing you COULD do is have a sandbox user's repo that is done by connecting to the net, do the install online and connected to the public repositories, thereby building up the respository for the sandbox user, and then hand-checking the checksums for the artifacts in the sandbox user's local repo and sticking those elements into the company's internal repository for use by everyone using deploy:deploy-file. On 7/20/06, EJ Ciramella <[EMAIL PROTECTED]> wrote:
What stinks about this solution is maven upgrades. All of a sudden, we'll be installing a bazillion jars/poms. Right? -----Original Message----- From: Tamás Cservenák [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 19, 2006 9:45 PM To: Maven Users List Subject: Re: Maven 2 - more questions Hi EJ, i would like to provide a half of answer for question number 2. As i wrote that before, Proximity is able to work offline. If your IT is too paranoid to let Proximity fetch what is requested from it (and not found in the cache or found but expired), then i would suggest you to run Proximity OFFLINE, and create some corporate mechanism to request the new needed resources. On every resource (artifact) request, someone would get it, check it, and deploy it into "inhouse" (or central, non-cached ) repository under proximity. ---- I ensure you, that M2 makes proper (but not mandatory, although it's configurable) checksum validation, Proximity itself is NOT INVOLVED in this validation, it ONLY SERVES the artifact AND the checksum file using the SAME MECHANISMS. The actual remote fetch occures only in: http://proximity.abstracthorizon.org/px-core/xref/hu/ismicro/commons/proximity/base/remote/HttpClientRemotePeer.html and as you can see, the px-core (the Proximity Core) is not even Maven aware! You can think about Proximity as a simple HTTP proxy. The Maven "awareness" is given by these classes (px-core-maven, the maven bindings): http://proximity.abstracthorizon.org/px-core-maven/xref/index.html and those are merely involved in artifact/file "recognition", possibility for their separate expiration (logic) and indexing. Since indexing is NOT USED in core functionality of Proximity (it is just an "extra" service offered on search page), the leftover is "mostly harmless" :) ~t~ On 7/19/06, EJ Ciramella <[EMAIL PROTECTED]> wrote: > As we edge closer to moving more people onto maven 2 here, there are a > few questions that keep popping up, can anyone help with these? > > 1 - How are items submitted to repo1? I've read the article here > (http://maven.apache.org/guides/mini/guide-ibiblio-upload.html), but I > don't see a validation part. What the powers that be are afraid of is > someone putting in some junk or malicious code into one of the > dependency jars. > > 2 - Is there a https mirror for maven 2 repositories? We'd LIKE to use > proximity as a proxy, but because of the ever growing threat of man in > the middle attacks, having anything just automatically go out to the web > is dangerous in their eyes. > > If there are no answers, could someone point me directly to the code > involved? I need to see how the checksums are getting validated. > > Thanks in advance! > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Never wear anything that panics the cat. -- P. J. O'Rourke
