You are viewing a plain text version of this content. The canonical link for it is here.
Posted to repository@apache.org by Mark Thomas <ma...@apache.org> on 2005/12/01 21:45:15 UTC
How to publish jars
Hi,
I am trying to meet the requirements of one of our Tomcat users as
expressed in this bug report.
http://issues.apache.org/bugzilla/show_bug.cgi?id=37737
Is it sufficient to copy the jars from the TC4.1.31 distribution (with
md5's in the right format) to
http://www.apache.org/dist/java-repository/tomcat/jars/ ?
Do I have to do anything else?
Should I do anything else?
Thanks,
Mark
Re: How to publish jars
Posted by Carlos Sanchez <ca...@apache.org>.
Hi,
The more jars you can put there the better ;)
Format is nameofjar-version.jar, md5 signatures "at least" should be provided.
Thanks
On 12/1/05, Mark Thomas <ma...@apache.org> wrote:
> Henk P. Penning wrote:
> > On Thu, 1 Dec 2005, Mark Thomas wrote:
> >>Hi,
> >>
> >>I am trying to meet the requirements of one of our Tomcat users as
> >>expressed in this bug report.
> >>http://issues.apache.org/bugzilla/show_bug.cgi?id=37737
> >>
> >>Is it sufficient to copy the jars from the TC4.1.31 distribution (with
> >>md5's in the right format) to
> >>http://www.apache.org/dist/java-repository/tomcat/jars/ ?
> >>
> >>Do I have to do anything else?
> >
> > You have to provide PGP digital signatures ; this is required
> > for every piece of software in 'www.apache.org/dist/'.
> >
> > See
> >
> > http://www.apache.org/dev/mirror-step-by-step.html
>
> Really? I don't see a single pgp signature for any jar in any
> http://www.apache.org/dist/java-repository/*/jars directory
>
> Most have md5's. Some have sha1's as well. Some have nothing at all.
>
> All of our distros under http://www.apache.org/dist/tomcat/ are pgp
> signed.
>
> Mark
>
> > Regards,
> >
> > Henk Penning
>
>
Re: How to publish jars
Posted by "Henk P. Penning" <he...@cs.uu.nl>.
On Thu, 1 Dec 2005, Mark Thomas wrote:
> Date: Thu, 01 Dec 2005 21:30:08 +0000
> From: Mark Thomas <ma...@apache.org>
> Cc: repository@apache.org
> Subject: Re: How to publish jars
>
> Henk P. Penning wrote:
> > You have to provide PGP digital signatures ; this is required
> > for every piece of software in 'www.apache.org/dist/'.
> Really? I don't see a single pgp signature for any jar in any
> http://www.apache.org/dist/java-repository/*/jars directory
Really.
http://www.apache.org/dist/java-repository/cocoon/jars/
> Most have md5's. Some have sha1's as well. Some have nothing at all.
True, and that's bad. Fortunately it's changing. See
http://people.apache.org/~henkp/checker/sig.html
Please do the right thing, and sign your stuff. There is really
no reason why stuff in 'java-repository' should be exempt from
a policy that's widely followed in the rest of www.apache.org/dist.
Since the 'java-repository' is somehow a rather 'wild' part of
'www.apache.org/dist', it is especially important that stuff is
signed ; look at 'java-repository/tomcat/jars/' ; almost all
files are group writeble by group 'apcvs' ; that's a 1000 people
that can change any file without changing the owner of the file.
> All of our distros under http://www.apache.org/dist/tomcat/ are pgp
> signed.
Very good. Please do the same for 'java-repository/tomcat/jars/'.
> Mark
Henk Penning
---------------------------------------------------------------- _
Henk P. Penning, Computer Systems Group R Uithof CGN-A232 _/ \_
Dept of Computer Science, Utrecht University T +31 30 253 4106 / \_/ \
Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 251 3791 \_/ \_/
http://www.cs.uu.nl/staff/henkp.html M penning@cs.uu.nl \_/
Re: How to publish jars
Posted by Mark Thomas <ma...@apache.org>.
Henk P. Penning wrote:
> On Thu, 1 Dec 2005, Mark Thomas wrote:
>>Hi,
>>
>>I am trying to meet the requirements of one of our Tomcat users as
>>expressed in this bug report.
>>http://issues.apache.org/bugzilla/show_bug.cgi?id=37737
>>
>>Is it sufficient to copy the jars from the TC4.1.31 distribution (with
>>md5's in the right format) to
>>http://www.apache.org/dist/java-repository/tomcat/jars/ ?
>>
>>Do I have to do anything else?
>
> You have to provide PGP digital signatures ; this is required
> for every piece of software in 'www.apache.org/dist/'.
>
> See
>
> http://www.apache.org/dev/mirror-step-by-step.html
Really? I don't see a single pgp signature for any jar in any
http://www.apache.org/dist/java-repository/*/jars directory
Most have md5's. Some have sha1's as well. Some have nothing at all.
All of our distros under http://www.apache.org/dist/tomcat/ are pgp
signed.
Mark
> Regards,
>
> Henk Penning
Re: How to publish jars
Posted by "Henk P. Penning" <he...@cs.uu.nl>.
On Thu, 1 Dec 2005, Mark Thomas wrote:
> Date: Thu, 01 Dec 2005 20:45:15 +0000
> From: Mark Thomas <ma...@apache.org>
> To: repository@apache.org
> Subject: How to publish jars
>
> Hi,
>
> I am trying to meet the requirements of one of our Tomcat users as
> expressed in this bug report.
> http://issues.apache.org/bugzilla/show_bug.cgi?id=37737
>
> Is it sufficient to copy the jars from the TC4.1.31 distribution (with
> md5's in the right format) to
> http://www.apache.org/dist/java-repository/tomcat/jars/ ?
>
> Do I have to do anything else?
You have to provide PGP digital signatures ; this is required
for every piece of software in 'www.apache.org/dist/'.
See
http://www.apache.org/dev/mirror-step-by-step.html
> Mark
Regards,
Henk Penning
---------------------------------------------------------------- _
Henk P. Penning, Computer Systems Group R Uithof CGN-A232 _/ \_
Dept of Computer Science, Utrecht University T +31 30 253 4106 / \_/ \
Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 251 3791 \_/ \_/
http://www.cs.uu.nl/staff/henkp.html M penning@cs.uu.nl \_/