What about just setting up an authenticated, HTTP-based ivy repository and using the Apache server logs as your audit trail?
-Archie On Wed, Apr 6, 2011 at 1:07 PM, Shawn Castrianni < [email protected]> wrote: > I have been using IVY for 3 years now and love it. I use the filesystem > resolver to get dependencies that I publish from my own builds and the svn > resolver to get thirdparty dependencies that I have downloaded from the > internet and manually checked in. My company wants to be very strict on > thirdparty dependencies so that is why we get them from a controlled SVN > repository and not straight from the Internet using ibiblio or whatever. > > Anyway, I was recently given a new requirement. I must track and trace all > dependency downloads within the company so that I can produce an audit log > when asked any time in the future. This audit log would contain the > date/time and artifacts downloaded by a given user. > > I have been thinking on how to implement this and here are my thoughts: > > 1. Turn off read access on the filer server where the filesystem > resolver is getting dependencies from so no one can bypass the auditing and > grab artifacts directly. Setup a special user with read credentials to the > file server that only the ANT/IVY scripts know about. Add custom ANT code > to my master build script so that it captures the ivy resolve/retrieve log > and sends it to some audit log storage server anytime a user runs the > dependency command. > > 2. Move all of my published artifacts currently on the file server to > SVN (similar to the thirdparty SVN repo described above). Change my > filesystem resolver to an SVN resolver. Then any user running the > dependency command will be pulling artifacts from SVN. I can then just use > the SVN server logs as an audit trail. However, I worry about using SVN for > hundreds of Gigabytes of data as an IVY dependency artifact repository. We > produce about 4GB of data per day. Imagine how big the SVN repo would get > after a year. With the current file server approach, we remove dependency > artifacts older than a week to avoid this data accumulation problem. > > 3. Make my own custom IVY resolver that has audit trail support that > can still use a filesystem. This is essentially the same as option #1 but > the auditing is done in Java code as part of the custom IVY resolver instead > of ANT code in the master build script. > > > Anybody out there have any opinions or suggestions? > > --- > Shawn Castrianni > > ---------------------------------------------------------------------- > This e-mail, including any attached files, may contain confidential and > privileged information for the sole use of the intended recipient. Any > review, use, distribution, or disclosure by others is strictly prohibited. > If you are not the intended recipient (or authorized to receive information > for the intended recipient), please contact the sender by reply e-mail and > delete all copies of this message. > -- Archie L. Cobbs
