On 29/05/2020 15:23, Michael Osipov wrote: > Am 2020-05-29 um 14:05 schrieb Mark Thomas: >> Hi, >> >> Currently we use the (very old) Maven Ant Tasks to upload files to >> Nexus. This has a hard-coded feature that adds MD5 and SHA-1 hashes for >> every uploaded file. It also adds hashes for .asc files. >> >> I investigated manually adding .sha256 and .sha512 files. This works, bu >> the upload process still adds .md5 and .sha1 files for the .sha256 and >> .sha512 files. This is workable but not ideal. >> >> I am currently investigating the possibility of switching to the newer >> Maven Resolver Ant Tasks. This is a work in progress. It has a LOT more >> dependencies and the default behaviour is unchanged. I am currently >> looking at the source to see if the behaviour could be configured. >> >> In amongst all of this I had a thought. What if we just made a binary >> patch to the Maven Ant Tasks to switch it from creating MD5 and SHA-1 >> hashes to creating SHA-256 and SHA-512 hashes? At first glance this >> looks to be a small tweak to a single class that should be doable with >> BCEL (a bit like a very targetted Jakarta Migration Tool). Is this a >> terrible idea? I wanted to get some feedback on this while I continued >> to look at the Maven Resolver Ant Tasks. > > I need to add a few lines here since I maintain Maven Resolver these > days. So no need to patch anything, we can work upstream. > We have/had these requests recently for SHA-2 family of hashes. What > hold me off is that Nexus before 2.14.18 did reject SHA-2 hashes for > Central. Moreover, you cannot omit MD5 and SHA-1 for Central because > they are mandatory, you won't pass evaluation on repository.a.o. > Regarding the JARs, I do use Maven Resolver Ant Tasks too at work to > customize Tomcat distributin for several OSes and there is a single JAR > you can use: > https://repo1.maven.org/maven2/org/apache/maven/resolver/maven-resolver-ant-tasks/1.2.0/maven-resolver-ant-tasks-1.2.0-uber.jar
Ah. I didn't see the uber JAR. That helps a lot. > I would not recommend committing it due to the size, but simply require > it to be in ~/.ant or in ANT_HOME. Agreed. JARs don't belong in source repos. We can download it on demand. > When Aether has been adopted from Eclipse, license has also changed from > EPL to AL. I see no issues here. Great. > WDYT? Cool. I think we have a possible solution here. 1. Switch to using the maven-resolver-ant-tasks with the uber JAR. This gives us the immediate benefit that we won't be generating .asc.md5 and .asc.sha1 files. I pretty much have this ready to go. I just need to tweak it to use the uber JAR. 2. Update to a newer version of maven-resolver-ant-tasks when a version that adds .sha256 and .sha512 is available. I'd be fine if it added .md5, .sha1, .sha256 and .sha512 Job done. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
