On 7-Oct-08, at 12:02 AM, Niclas Hedhman wrote:
On Tue, Oct 7, 2008 at 11:47 AM, Jason van Zyl <[EMAIL PROTECTED]>
wrote:
The central repository is the Maven PMC's business. What results
will be
public policy but we'd like to avoid the banter of the misinformed
so we can
arrive at a decision quickly.
Yes, although the PMC is expected to do all non-sensitive discussion
on the public dev@ list. But, so far I think the central repo has
served the Java communities (not only Apache) very well. It allows
sync'ing from other repository hosts, which has made life a lot easier
for smaller projects.
That said, I think that Maven should move away from a central
repository, and instead go with distributed ones and possibly harness
the power of search engines (Yahoo RDF?) to locate stuff everywhere.
This is already possible with Nexus (http://nexus.sonatype.org).
Nexus, or the Nexus CLI tool, produces a Lucene index which Nexus uses
to create a federated searching and retrieval mechanism.
One instance of Nexus can proxy any other Maven repository -- a
repository manager or normal webserver -- and with the presence of the
Nexus index allows federated searching and retrieval of artifacts
through that single instance. Some groups are already starting to
provide Nexus indices:
http://docs.codehaus.org/display/M2ECLIPSE/Nexus+Indexed+Maven+Repositories
This means you as a user can setup Nexus locally, create proxied
repositories and get access to the contents of those repositories. So
if everyone did this we could federate all the repositories around the
world and then central just becomes a switchboard. This would be great
as it would distribute the load around, but I think we still might
want to collect everything in one place for safety.
To be able to do that securely, some clever security mechanisms must
first be developed, and since that is in line with security-concerned
people, I think it is a good thing to do so. "How hard can it be?",
considering the expertise around detailing the requirements almost at
code level, right ;-) ?
Mercury will support PGP validation, and we are building support for
PGP into Nexus so the indices could be retrieved and validated, and
subsequent retrieval of artifacts could then also be validated. The
technology is pretty much there to do what you're asking for but
producing the indices in all the repositories will take time. But
people are doing because it also provides value in the IDEs.
m2eclipse, Netbeans, and IDEA are already integrating Nexus index
technology to provide full POM auto-completion support, and we also
use the index to find Maven plugins, Maven archetypes, and flag
artifacts as having sources, javadocs, and valid checksums and
signatures. So people will create indices to get the value in IDEs and
as a consequence federating everything is possible.
Cheers
Niclas
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
We know what we are, but know not what we may be.
-- Shakespeare
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
