Am 2020-05-29 um 20:55 schrieb Mark Thomas:
On 29/05/2020 19:42, Michael Osipov wrote:
Am 2020-05-29 um 16:48 schrieb Mark Thomas:
On 29/05/2020 15:23, Michael Osipov wrote:
Am 2020-05-29 um 14:05 schrieb Mark Thomas:
Hi,
Currently we use the (very old) Maven Ant Tasks to upload files to
Nexus. This has a hard-coded feature that adds MD5 and SHA-1 hashes for
every uploaded file. It also adds hashes for .asc files.
I investigated manually adding .sha256 and .sha512 files. This
works, bu
the upload process still adds .md5 and .sha1 files for the .sha256 and
.sha512 files. This is workable but not ideal.
I am currently investigating the possibility of switching to the newer
Maven Resolver Ant Tasks. This is a work in progress. It has a LOT more
dependencies and the default behaviour is unchanged. I am currently
looking at the source to see if the behaviour could be configured.
In amongst all of this I had a thought. What if we just made a binary
patch to the Maven Ant Tasks to switch it from creating MD5 and SHA-1
hashes to creating SHA-256 and SHA-512 hashes? At first glance this
looks to be a small tweak to a single class that should be doable with
BCEL (a bit like a very targetted Jakarta Migration Tool). Is this a
terrible idea? I wanted to get some feedback on this while I continued
to look at the Maven Resolver Ant Tasks.
I need to add a few lines here since I maintain Maven Resolver these
days. So no need to patch anything, we can work upstream.
We have/had these requests recently for SHA-2 family of hashes. What
hold me off is that Nexus before 2.14.18 did reject SHA-2 hashes for
Central. Moreover, you cannot omit MD5 and SHA-1 for Central because
they are mandatory, you won't pass evaluation on repository.a.o.
Regarding the JARs, I do use Maven Resolver Ant Tasks too at work to
customize Tomcat distributin for several OSes and there is a single JAR
you can use:
https://repo1.maven.org/maven2/org/apache/maven/resolver/maven-resolver-ant-tasks/1.2.0/maven-resolver-ant-tasks-1.2.0-uber.jar
Ah. I didn't see the uber JAR. That helps a lot.
I would not recommend committing it due to the size, but simply require
it to be in ~/.ant or in ANT_HOME.
Agreed. JARs don't belong in source repos. We can download it on demand.
When Aether has been adopted from Eclipse, license has also changed from
EPL to AL. I see no issues here.
Great.
WDYT?
Cool. I think we have a possible solution here.
1. Switch to using the maven-resolver-ant-tasks with the uber JAR.
This gives us the immediate benefit that we won't be generating .asc.md5
and .asc.sha1 files. I pretty much have this ready to go. I just need to
tweak it to use the uber JAR.
2. Update to a newer version of maven-resolver-ant-tasks when a version
that adds .sha256 and .sha512 is available. I'd be fine if it added
.md5, .sha1, .sha256 and .sha512
Correct. I have recently updated Resolver. Ant Tasks need some love to
perform again. This is the next point on my list. As soon as a new Ant
Tasks release is out, I will head over to Resolver master and provide
you a branch with a tentative fix for the SHA-2 issue.
Acceptable?
Perfect. Sounds great. I'm just about to update master to Maven Resolver
Ant Tasks in preparation. I'll back-port as well.
* Clone MRESOLVER, switch to MRESOLVER-56, install locally
* Clone MRESOLVER AT, update MRESOLVER to 1.4.3-SNAPSHOT, install locally
* Use the SNAPSHOT version of the Über JAR for your tests
I have built Maven 3.7.0-SNAPSHOT and was able to upload checksums to
repository.apache.org.
Michael
PS: This is all WIP, comments welcome!
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
