You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by "Brett Porter (JIRA)" <ji...@codehaus.org> on 2005/07/28 08:25:57 UTC

[jira] Closed: (MNG-615) Implement repository POM confidence levels

     [ http://jira.codehaus.org/browse/MNG-615?page=all ]
     
Brett Porter closed MNG-615:
----------------------------

    Resolution: Fixed

> Implement repository POM confidence levels
> ------------------------------------------
>
>          Key: MNG-615
>          URL: http://jira.codehaus.org/browse/MNG-615
>      Project: Maven 2
>         Type: New Feature
>   Components: maven-artifact
>     Reporter: Brett Porter
>     Assignee: Brett Porter
>     Priority: Blocker
>      Fix For: 2.0-beta-1

>
>
> let's add a source to the distributionManagement in the POM which is rewritten by the repository tool:
> "none" - there is no information about the POM's confidence level (the default)
> "converted" - converted from a Maven 1.x POM, so we can be sure the format is valid but the data within it may be incomplete
> "partner" - synced in directly from a partner site (and was a Maven2 POM, current partners will be converted instead)
> "deployed" - deployed to the repository directly using deploy:deploy
> "verified" - hand verified the information in the POM
> I think this is a sliding scale of confidence in the data. I think each should be able to have an interval attached to it to check for metadata updates (but not updates to the JAR itself - this is just about redownloading the POM). By default, I would check none and converted daily and the rest never. Once again, a CLI switch could check them all again. Your releases could requires a certain level of confidence - if you accept anything less than verified, you might risk a reproducibility problem in the future. One change that might be needed is to get maven-proxy to recognise this.
> There have been more than one instance of a jar getting corrupted in the repository too. Because once compromised this might be propogated to multiple levels we do need a way to do integrity checks of local and internal repositories against the main one by checking that the sha1's match up and match what is local. This can be something added at a later date, just wanted to keep it in mind.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org