Am 06/26/14 17:18, schrieb Stephen Connolly: > And the staleness is another killer on the: "oh why don't we use DNS > records to resolve the repository" because what if foobar.org do not renew > their domain, now all the org.foobar artifacts will just drop off the net > and we have no means to inject a repo for them again...
Central authority fallback zone. So if 'foobar.org' isn't renewed so that DNS becomes unavailable, one could move that groupId to a fallback zone like: 'groupid.central.apache.org' or something like this. Some mechanism like this would already be required for group ids like 'commons-io' or such which cannot be mapped to a domain directly. So resolve repositories for 'groupId' by DNS at 'groupId', not finding any records there, search the fallback zone 'groupId.central.apache.org', not finding anything there, fallback to legacy POM repositories (optionally). Still nothing found, fail with artifact not found. If a '<repository>' with an URL like 'repository.foobar.org' is used, that repository would become stale as well already. You would have control about that via such a repository authority zone. > I think dropping <repositories> and using social pressure to "get thee to > central" is probably the best worst long term solution Nothing can stop people from grabbing the Maven source distribution and patching it to theire needs and nothing can stop people from grabbing the sources of some artifact from 'central' and redeploy it to some other repository. I am heading after a mechanism to make the artifact providers the autoritative entity controlling the repositories to resolve _theire_ artifacts from. If someone needs to e.g. deploy a custom 'commons-io', they are forced to change the groupId to something they are authoritative for since Maven will never fetch that 'commons-io' from a non-authoritative repository. Just put everything into 'central' isn't practical, I think. That's like deploying all websites of the world to a central server. You type 'maven.apache.org' into the browser and you are connected to the corresponding web server. You type 'commons-io:commons-io:2.4' into the POM, and you get connected to somewhere non-authoritative and fetch some non-authoritative content, if not careful and the providers of 'commons-io' cannot do anything about that. Regards, -- Christian --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
