On Fri, May 29, 2020 at 8:55 PM Mark Thomas <ma...@apache.org> wrote:
> On 29/05/2020 19:42, Michael Osipov wrote: > > Am 2020-05-29 um 16:48 schrieb Mark Thomas: > >> On 29/05/2020 15:23, Michael Osipov wrote: > >>> Am 2020-05-29 um 14:05 schrieb Mark Thomas: > >>>> Hi, > >>>> > >>>> Currently we use the (very old) Maven Ant Tasks to upload files to > >>>> Nexus. This has a hard-coded feature that adds MD5 and SHA-1 hashes > for > >>>> every uploaded file. It also adds hashes for .asc files. > >>>> > >>>> I investigated manually adding .sha256 and .sha512 files. This > >>>> works, bu > >>>> the upload process still adds .md5 and .sha1 files for the .sha256 and > >>>> .sha512 files. This is workable but not ideal. > >>>> > >>>> I am currently investigating the possibility of switching to the newer > >>>> Maven Resolver Ant Tasks. This is a work in progress. It has a LOT > more > >>>> dependencies and the default behaviour is unchanged. I am currently > >>>> looking at the source to see if the behaviour could be configured. > >>>> > >>>> In amongst all of this I had a thought. What if we just made a binary > >>>> patch to the Maven Ant Tasks to switch it from creating MD5 and SHA-1 > >>>> hashes to creating SHA-256 and SHA-512 hashes? At first glance this > >>>> looks to be a small tweak to a single class that should be doable with > >>>> BCEL (a bit like a very targetted Jakarta Migration Tool). Is this a > >>>> terrible idea? I wanted to get some feedback on this while I continued > >>>> to look at the Maven Resolver Ant Tasks. > >>> > >>> I need to add a few lines here since I maintain Maven Resolver these > >>> days. So no need to patch anything, we can work upstream. > >>> We have/had these requests recently for SHA-2 family of hashes. What > >>> hold me off is that Nexus before 2.14.18 did reject SHA-2 hashes for > >>> Central. Moreover, you cannot omit MD5 and SHA-1 for Central because > >>> they are mandatory, you won't pass evaluation on repository.a.o. > >>> Regarding the JARs, I do use Maven Resolver Ant Tasks too at work to > >>> customize Tomcat distributin for several OSes and there is a single JAR > >>> you can use: > >>> > https://repo1.maven.org/maven2/org/apache/maven/resolver/maven-resolver-ant-tasks/1.2.0/maven-resolver-ant-tasks-1.2.0-uber.jar > >>> > >> > >> Ah. I didn't see the uber JAR. That helps a lot. > >> > >>> I would not recommend committing it due to the size, but simply require > >>> it to be in ~/.ant or in ANT_HOME. > >> > >> Agreed. JARs don't belong in source repos. We can download it on demand. > >> > >>> When Aether has been adopted from Eclipse, license has also changed > from > >>> EPL to AL. I see no issues here. > >> > >> Great. > >> > >>> WDYT? > >> > >> Cool. I think we have a possible solution here. > >> > >> 1. Switch to using the maven-resolver-ant-tasks with the uber JAR. > >> > >> This gives us the immediate benefit that we won't be generating .asc.md5 > >> and .asc.sha1 files. I pretty much have this ready to go. I just need to > >> tweak it to use the uber JAR. > >> > >> 2. Update to a newer version of maven-resolver-ant-tasks when a version > >> that adds .sha256 and .sha512 is available. I'd be fine if it added > >> .md5, .sha1, .sha256 and .sha512 > > > > Correct. I have recently updated Resolver. Ant Tasks need some love to > > perform again. This is the next point on my list. As soon as a new Ant > > Tasks release is out, I will head over to Resolver master and provide > > you a branch with a tentative fix for the SHA-2 issue. > > > > Acceptable? > > Perfect. Sounds great. I'm just about to update master to Maven Resolver > Ant Tasks in preparation. I'll back-port as well. > Worth trying at least ;) Rémy
