Re: website updated, maven2 poms, temporary repository, new artifacts

[Stefano Bagnara <ap...@bago.org>]

Noel J. Bergman wrote:
> If and when the ASF decides to host our own Maven repository wherein we can
> ensure that for all time we have ALL necessary artfifacts to build all
> historical versions, I'll be happy to revisit whether we should maintain the
> artifacts in SVN.

Can we live for a while with a pom.xml that generates our site and 
reports using untrusted libraries?

I will take the risk to run the maven tasks so if it will download 
something unexpected no one will care about this.

I agree about the security issues raised by Noel but I would like to 
avoid requiring from maven things that we never required from ant.

FWIW maven team is already moving in the right direction:
http://docs.codehaus.org/display/MAVEN/Repository+Security+Improvements

The proposal seems to be good but unfortunately it seems that someone 
have to integrate already existing code and implement missing parts, so 
no ETA for this.

Btw I'd like to have a simple roadmap:
1) now we keep the "unsafe" maven stuff to build server website
2) when we'll be ready to move server to maven2 for build and packaging 
we will review what directory project did and the status of that new 
security features in maven and will decide wether:
   3a) create a maven repository for third party dependencies under 
james website or under an svn subfolder of the james repository.
   3b) use the new features and skip the creation of our repository
   3c) use a third-party repository that ASF created in the mean time.

I believe that 2 won't happen before the end of the year so we could 
wait and look out from the window in the mean time.

Is this ok?

Stefano