On Friday 30 September 2016, Jaroslav Tulach
wrote:
> 28. 9. 2016 v 11:25, Greg Stein >:
>
> > On Tue, Sep 27, 2016 at 10:13 PM, Jaroslav Tulach <
> jaroslav.tul...@gmail.com
> >> wrote:
> >> ...
> >
> >> One idea that keeps puzzlin
28. 9. 2016 v 11:25, Greg Stein :
> On Tue, Sep 27, 2016 at 10:13 PM, Jaroslav Tulach > wrote:
>> ...
>
>> One idea that keeps puzzling in my mind is to reuse central Maven
>> repository
>> more than we used to. If I understand correctly while the Maven central
On Wed, Sep 28, 2016 at 5:13 AM, Jaroslav Tulach
wrote:
> There are also the [3rd party binaries used during NetBeans build](http://
> hg.netbeans.org/binaries/) - most of them available from Maven central. I
> already [created a patch](http://hg.netbeans.org/releases/rev/3178d0a561c8) to
> allow
On Wed, Sep 28, 2016 at 12:56 PM, Wade Chandler
wrote:
> ...more later when we get to an incubator...
+1
-Bertrand
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...
On Sep 28, 2016 5:55 AM, "Sven Reimers" wrote:
>
>
> 2. Use Maven repository as storahe backend for the plugin portal, so that
> only the metadata is hosted at the portal not the module binaries..
>
I think the terminology here is key. A "storage backend" f
Hi,
if I understood Jaroslav correct he is proposing two changes
1. Download 3rd party binaries needed to build NetBeans from a maven
repository (maven central, jcenter or if you behinf corporate firewalls a
synced self hosted repo using nexus or artifactory)
2. Use Maven repository as storahe
On Tue, Sep 27, 2016 at 10:13 PM, Jaroslav Tulach wrote:
>...
> One idea that keeps puzzling in my mind is to reuse central Maven
> repository
> more than we used to. If I understand correctly while the Maven central is
> operated by Sonatype, it is just "leased" to th
l have to find other people willing to
> > host this.
>
> Hi.
> One idea that keeps puzzling in my mind is to reuse central Maven
> repository
> more than we used to. If I understand correctly while the Maven central is
> operated by Sonatype, it is just "leased"
ows how to produce Maven artifacts and there is a NetBeans
Maven repository: http://bits.netbeans.org/nexus/content/groups/netbeans/
In addition to that we could modify the http://plugins.netbeans.org to be just
a catalog over bits available in Maven central.
There are also the [3rd party binaries us
No, Henry, I'm not blocked by it although having another issue, let's talk
about it in another thread. Thanks.
On Wed, Aug 17, 2016 at 2:13 AM, Henry Saputra
wrote:
> Michael,
>
> Both issues are closed. Are you still blocked with the repo for eagle
> creation?
>
> - Henry
>
> On Sun, Aug 14, 20
Michael,
Both issues are closed. Are you still blocked with the repo for eagle
creation?
- Henry
On Sun, Aug 14, 2016 at 8:27 PM, Michael Wu wrote:
> Got it, John, i'll take notice. Thanks. Sorry for the spam.
>
> On Mon, Aug 15, 2016 at 10:22 AM, John D. Ament
> wrote:
>
> > Michael,
> >
> >
Got it, John, i'll take notice. Thanks. Sorry for the spam.
On Mon, Aug 15, 2016 at 10:22 AM, John D. Ament
wrote:
> Michael,
>
> Your best bet is to ping infra. If email doesn't work, hopping on to
> hipchat with them may work.
> http://www.apache.org/dev/infra-contact
>
> John
>
> On Sun, Aug
Michael,
Your best bet is to ping infra. If email doesn't work, hopping on to
hipchat with them may work.
http://www.apache.org/dev/infra-contact
John
On Sun, Aug 14, 2016 at 10:15 PM Michael Wu wrote:
> Hi Jake,
>
> Could you please help on this case? There are some required dependencies
> b
Hi Jake,
Could you please help on this case? There are some required dependencies
blocked. Thanks.
Michael
On Thu, Aug 11, 2016 at 11:20 AM, Michael Wu wrote:
> Hi Jake,
>
> Tickets created:
> https://issues.apache.org/jira/browse/INFRA-12409
> https://issues.apache.org/jira/browse/INFRA-12410
Hi Jake,
Tickets created:
https://issues.apache.org/jira/browse/INFRA-12409
https://issues.apache.org/jira/browse/INFRA-12410
Thanks for helping it out.
Michael
On Tue, Aug 9, 2016 at 12:00 AM, Jake Farrell wrote:
> Your user will have to get added to nexus, can you please put in an infra
>
Your user will have to get added to nexus, can you please put in an infra
ticket for this
-Jake
On Sun, Aug 7, 2016 at 11:35 PM, Michael Wu wrote:
> Hi there,
>
> My apache account is "mw".
>
> I was trying to use
>
> $> mvn -Papache-release -DskipTests -Dgpg.passphrase=${GPG_PASSPHRASE}
>
Hi there,
My apache account is "mw".
I was trying to use
$> mvn -Papache-release -DskipTests -Dgpg.passphrase=${GPG_PASSPHRASE}
deploy
to upload eagle's jars to https://repository.apache.org/
service/local/staging/deploy/maven2, but it always returned 400 error, as
below fragment:
*
Thanks for the reply Brian, this is much relief.
However in your initial response your wording clearly indicated the new policy
already being enforced, up to:
"[...] your artifacts will end up blocked."
A little less restrictive description could have prevented this
misunderstanding...
I think
>> Interesting. That's news to me... You have a pointer to more information?
>
As it turns out, almost all references to external repositories in
poms are junk or turn out to be junk after a bit of time. See here for
some examples:
http://www.sonatype.com/people/2010/03/why-external-repos-are-bein
On 03/23/2010 01:01 AM, Kevan Miller wrote:
On Mar 20, 2010, at 4:45 PM, Brian Fox wrote:
At the Central repository we are restricting the inclusion of external
repositories because this generally creates a mess. This is being
enforced on new artifacts coming in so I would recommend you do not
On Mar 20, 2010, at 4:45 PM, Brian Fox wrote:
> At the Central repository we are restricting the inclusion of external
> repositories because this generally creates a mess. This is being
> enforced on new artifacts coming in so I would recommend you do not
> add them or your artifacts themselves
We are having the same problem in Clerezza, one of the dependencies that
isn't in the central repo is sesame 2 [1]. I think we have the following
options:
- not include the sesame backend in the default distribution (users who need
it would have to compile it their selves of download it from elsew
At the Central repository we are restricting the inclusion of external
repositories because this generally creates a mess. This is being
enforced on new artifacts coming in so I would recommend you do not
add them or your artifacts themselves will end up blocked. A better
choice is to encourage the
I don't know of any apache policy regarding external repositories but i
usual don't recommend placing repositories into the POM at all.
Best practice is to use a repository manager and add the repositories there.
So, i am not sure how Apache Hudson is configured currently, but i would
suggest conne
Hi;
Is there any rule/policy for using third-party maven repositories in our
project poms? Recently, we have required to list some repositories in
settings.xml (for example: jboss) to our codebase built correctly. But when
Apache-Hudson runs to built daily, it throws errors because of not finding
mer requirements) to the central Maven
repository through m2-ibiblio-rsync-repository.
BR,
Jukka Zitting
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
unless anyone wants to
propose
an alternative policy.
See revision 704280.
It is now OK for podlings to deploy approved releases (that satisfy
the labeling and disclaimer requirements) to the central Maven
repository through m2-ibiblio-rsync-repository.
BR,
Jukka Z
evision 704280.
>
> It is now OK for podlings to deploy approved releases (that satisfy
> the labeling and disclaimer requirements) to the central Maven
> repository through m2-ibiblio-rsync-repository.
>
> BR,
>
> Jukka Zitting
>
> --
for podlings to deploy approved releases (that satisfy
the labeling and disclaimer requirements) to the central Maven
repository through m2-ibiblio-rsync-repository.
BR,
Jukka Zitting
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
-archives.apache.org/mod_mbox/incubator-general/200809.mbox/<[EMAIL
PROTECTED]>
> Allow extra release distribution channels like the central Maven repository
> ---
>
> Key: INCUBATOR-82
>
Hi,
On Mon, Oct 6, 2008 at 9:45 PM, Jukka Zitting <[EMAIL PROTECTED]> wrote:
> So, unless within a week from now we start seeing constructive efforts
> at forming an alternative policy (or clarifying the current
> undocumented policy) that we could vote on, I will declare this vote
> as passing an
The central repository is not an Apache project's resource.
We've always discussed issues of the central repository in private
(except for technical details of syncing other project repositories)
and as far as policy goes it's the Maven PMC that will sets it.
Members can see the list and w
Jason van Zyl wrote:
The central repository is the Maven PMC's business. What results will be
public policy but we'd like to avoid the banter of the misinformed so we
can arrive at a decision quickly.
I'd love to avoid the banter of the misinformed too, but that's not the
way Apache projects
org).
Nexus, or the Nexus CLI tool, produces a Lucene index which Nexus uses
to create a federated searching and retrieval mechanism.
One instance of Nexus can proxy any other Maven repository -- a
repository manager or normal webserver -- and with the presence of the
Nexus index allows fe
On Tue, Oct 7, 2008 at 11:47 AM, Jason van Zyl <[EMAIL PROTECTED]> wrote:
> The central repository is the Maven PMC's business. What results will be
> public policy but we'd like to avoid the banter of the misinformed so we can
> arrive at a decision quickly.
Yes, although the PMC is expected to d
The central repository is the Maven PMC's business. What results will
be public policy but we'd like to avoid the banter of the misinformed
so we can arrive at a decision quickly.
On 6-Oct-08, at 10:22 AM, Noel J. Bergman wrote:
Jason van Zyl wrote:
The discussions are taking place on the
Hi,
On Wed, Sep 24, 2008 at 3:40 PM, Jukka Zitting <[EMAIL PROTECTED]> wrote:
> This is a slight majority (of binding votes) for accepting the
> proposed change, but given the clear lack of consensus and the
> concerns voiced about that, I unfortunately need to conclude that this
> issue should be
Jason van Zyl wrote:
> The discussions are taking place on the Maven PMC list. If you are a
> member you can join the list.
Why are those discussions taking place on a private, closed, list instead of
an open one?
--- Noel
--
On Sat, Oct 4, 2008 at 12:45 AM, William A. Rowe, Jr.
<[EMAIL PROTECTED]> wrote:
> Color me confused again, but during setup and formation of the Incubator,
> a podling had to graduate before doing a release. It was rather well
> established before this rule was modified, but it seems that this ch
The discussions are taking place on the Maven PMC list. If you are a
member you can join the list.
On 4-Oct-08, at 8:31 AM, Gilles Scokart wrote:
2008/10/3 Jason van Zyl <[EMAIL PROTECTED]>:
On 2-Oct-08, at 9:19 PM, Noel J. Bergman wrote:
Emmanuel Lecharny wrote:
Better a bad decision th
2008/10/3 Jason van Zyl <[EMAIL PROTECTED]>:
>
> On 2-Oct-08, at 9:19 PM, Noel J. Bergman wrote:
>
>> Emmanuel Lecharny wrote:
>>
>>> Better a bad decision than no decision, otherwise, soon, nobody will
>>> vote anymore...
>>
>> Not really. Consider that there appears to be a clear consensus that
Noel J. Bergman wrote:
> William A. Rowe, Jr. wrote:
>
>> Jukka Zitting wrote:
>
>>> Does the ASF "endorse" these releases, and what does that endorsement mean?
>
>> yes...
>
> You are talking about a legal licensing matter, whereas discussion during the
> setup and formation of the Incubator
On 2-Oct-08, at 9:19 PM, Noel J. Bergman wrote:
Emmanuel Lecharny wrote:
Better a bad decision than no decision, otherwise, soon, nobody will
vote anymore...
Not really. Consider that there appears to be a clear consensus
that if
Maven were to fix the download situation, requiring that u
Emmanuel Lecharny wrote:
> Better a bad decision than no decision, otherwise, soon, nobody will
> vote anymore...
Not really. Consider that there appears to be a clear consensus that if
Maven were to fix the download situation, requiring that users approve the
user of Incubator artifacts, rather
William A. Rowe, Jr. wrote:
> Jukka Zitting wrote:
> > This is a slight majority (of binding votes) for accepting the
> > proposed change, but given the clear lack of consensus and the
> > concerns voiced about that, I unfortunately need to conclude that this
> > issue should be tabled until bette
On Fri, Sep 26, 2008 at 9:55 AM, William A. Rowe, Jr.
<[EMAIL PROTECTED]>wrote:
> Matthieu Riou wrote:
> >
> > I've also looked at the mentors votes, those who are basically running
> this
> > place. I'm a small player but Craig mentors 6 poddlings, Jim, Henning and
> > Jukka 4 and Doug 3. I'm not
Matthieu Riou wrote:
>
> I've also looked at the mentors votes, those who are basically running this
> place. I'm a small player but Craig mentors 6 poddlings, Jim, Henning and
> Jukka 4 and Doug 3. I'm not saying their votes count more than others, just
> that when those people disagree, we shoul
On Fri, Sep 26, 2008 at 5:31 AM, Jukka Zitting <[EMAIL PROTECTED]>wrote:
> Hi,
>
> On Thu, Sep 25, 2008 at 12:58 AM, Niall Pemberton
> <[EMAIL PROTECTED]> wrote:
> > If this vote doesn't pass then we need to re-write the rules to
> > define how much of a majority overturns the status quo.
>
> I'm
Hi,
On Thu, Sep 25, 2008 at 12:58 AM, Niall Pemberton
<[EMAIL PROTECTED]> wrote:
> If this vote doesn't pass then we need to re-write the rules to
> define how much of a majority overturns the status quo.
I'm following http://www.apache.org/foundation/voting.html and the
express wish of our PMC c
On Thu, Sep 25, 2008 at 5:15 AM, Doug Cutting <[EMAIL PROTECTED]> wrote:
> This is the crux of the issue.
> Do releases from the Incubator project differ from those of other projects?
The people who created the Incubator should be able to answer this
question. IMHO (I didn't vote), what we all t
William A. Rowe, Jr. wrote:
> David Crossley wrote:
> > William A. Rowe, Jr. wrote:
> >
> > [snip]
> >> I liked the way you put the question; it's not up to incubator project to
> >> set the rules for Maven. If the maven PMC decides that these incubator
> >> releases don't belong in the primary r
On Wed, Sep 24, 2008 at 2:21 PM, William A. Rowe, Jr.
<[EMAIL PROTECTED]>wrote:
> Jukka Zitting wrote:
> >> Of which we have two; released, or not released, and that's a product
> >> of oversight and a [VOTE]. There are no magical in-betweens.
> >
> > As evidenced by this vote this is hardly the
David Crossley wrote:
> William A. Rowe, Jr. wrote:
>
> [snip]
>> I liked the way you put the question; it's not up to incubator project to
>> set the rules for Maven. If the maven PMC decides that these incubator
>> releases don't belong in the primary repository, that's their call. But
>> this
William A. Rowe, Jr. wrote:
> Jukka Zitting wrote:
> >
[snip]
>
> > Are incubating releases official releases of the ASF?
>
> Yes. Otherwise they must be removed from ASF servers.
> There's no middle ground.
>
[snip]
>
> > How strong disclaimers are needed and what level of explicit
> > ackn
Niall Pemberton wrote:
This is a slight majority (of binding votes) for accepting the
proposed change, but given the clear lack of consensus and the
concerns voiced about that, I unfortunately need to conclude that this
issue should be tabled until better consensus is reached.
If this was
oesn't pass then we need to re-write the rules to define how
much of a majority overturns the status quo. Perhaps two thrids,
perhaps no negative votes. If this policy isn't implemented, then I
think all the people who voted +1 at least deserve a definition of how
short we fell of passin
Jukka Zitting wrote:
>> Of which we have two; released, or not released, and that's a product
>> of oversight and a [VOTE]. There are no magical in-betweens.
>
> As evidenced by this vote this is hardly the consensus. See comments
> like "incubating releases to be treated as full Apache releases"
Jukka Zitting wrote:
There is clearly a widely held feeling that incubating
releases are different than "normal" ASF releases.
This is the crux of the issue. I fail to see how they are fundamentally
different. Releases and the release process is one of the most
standardized things in the AS
t;> The main impression I got from the related discussion is that the main
>> concern is not that much the security or transparency of the Maven
>> repository but rather the status of incubating releases in general.
>
> Of which we have two; released, or not released, and that&#x
ight, it's clear they were.
RAT and other methodologies helped us validate the legal aspects of
the ASF releases to the point that this is not uncomfortable anymore.
> The main impression I got from the related discussion is that the main
> concern is not that much the security or trans
m users is required? Until we have a clearer policy
on what we actually require of incubating releases and their
distribution, it seems premature to debate whether the Maven
repository meets those requirements.
So, before reopening this release distribution issue, I would expect
us to clarify the p
Jukka Zitting wrote:
>
> I extended the vote "for another week", which IMHO clearly puts the
> endpoint to this morning. As such, I will be closing the vote in a few
> hours.
:)
Sounds great
-
To unsubscribe, e-mail: [EMAIL PRO
Hi,
On Wed, Sep 24, 2008 at 5:45 AM, William A. Rowe, Jr.
<[EMAIL PROTECTED]> wrote:
> Jukka Zitting wrote:
>> Please vote on accepting or rejecting this policy change! This
>> majority vote is open for a week and only votes from the Incubator PMC
>> members are binding.
>
> Just as a point of ref
Jukka Zitting wrote:
> Please vote on accepting or rejecting this policy change! This
> majority vote is open for a week and only votes from the Incubator PMC
> members are binding.
Just as a point of reference, extending a vote for a given period of time
is a good thing to accommodate all input.
Doug Cutting wrote:
>
> +1 All releases by ASF PMC's should be equal. If the Incubator PMC
> isn't confident of a release then it shouldn't release it. The release
> process should not just check legal concerns, but also the quality of
> the code and its community. A responsible PMC should not
g wrote:
>>
>> [ ] +1 Yes, allow extra release distribution channels like the central
>> Maven repository
>> [ ] -1 No, keep the current policy
>
> +1 All releases by ASF PMC's should be equal. If the Incubator PMC isn't
> confident of a release then it shou
On Tue, Sep 23, 2008 at 3:15 PM, Doug Cutting <[EMAIL PROTECTED]> wrote:
> Jukka Zitting wrote:
>>
>> [ ] +1 Yes, allow extra release distribution channels like the central
>> Maven repository
>> [ ] -1 No, keep the current policy
>
> +1 All release
Will Glass-Husain wrote:
It's very tempting to allow it, but in the end too dangerous to facilitate
downloads that are hidden from the end user and may be undesireable.
Folks using Maven are already getting "hidden" downloads. Why are
incubating releases any more dangerous? Is the bar any lo
WILL
On Tue, Sep 23, 2008 at 3:15 PM, Doug Cutting <[EMAIL PROTECTED]> wrote:
> Jukka Zitting wrote:
>
>> [ ] +1 Yes, allow extra release distribution channels like the central
>> Maven repository
>> [ ] -1 No, keep the current policy
>>
>
> +1 All rele
Jukka Zitting wrote:
[ ] +1 Yes, allow extra release distribution channels like the central
Maven repository
[ ] -1 No, keep the current policy
+1 All releases by ASF PMC's should be equal. If the Incubator PMC
isn't confident of a release then it shouldn't release it. The r
gt; >> With Maven, it is too easy to depend on a release with transitive
> >> dependencies on incubating releases without even knowing it. When
> >> the incubating release subsequently is abandoned, blame will be
> >> cast widely, including Apache itself.
&
dependencies on incubating releases can be
resolved by explicitly adding an incubating Maven repository into
your settings, I don't think that wide, mirrored, distribution is
warranted.
Craig
On Sep 9, 2008, at 11:34 PM, Jukka Zitting wrote:
Hi,
We've had a number of long discuss
adding an incubating Maven repository into your settings, I
don't think that wide, mirrored, distribution is warranted.
Craig
On Sep 9, 2008, at 11:34 PM, Jukka Zitting wrote:
Hi,
We've had a number of long discussions about the incubating projects
using the central Maven rep
On Sun, Sep 21, 2008 at 6:13 PM, Roland Weber <[EMAIL PROTECTED]> wrote:
> Users who would care about "incubating" disclaimers will
> find those via Maven too. Users who don't care will ignore
> them no matter what you do. You can't force users to care.
Although I agree with your standpoint, your
cheers,
Roland
Jukka Zitting wrote:
I would like to finally resolve the issue one way or another
Until somebody on the other way reopens it in a few months ;-(
[ ] +1 Yes, allow extra release distribution channels like the central
Maven repository
[ ] -1 No
Hi,
On Thu, Sep 18, 2008 at 11:41 PM, William A. Rowe, Jr.
<[EMAIL PROTECTED]> wrote:
> Since the hash is not security, it's not terribly important, eh?
Hashes are a perfect tool for verifying message integrity. They won't
prove origin like signatures do, but verifiable integrity is hardly
*not*
Hiram Chirino wrote:
Agreed. I never argued against this. But I fail to see the point?
Are you saying initial trust is hard to secure? I totally agree on
that point. You have any solutions?
Yes. You sign your package locally, never on the remote system. The ASF
hardware must never have y
On Thu, Sep 18, 2008 at 4:57 PM, sebb <[EMAIL PROTECTED]> wrote:
> On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
>> On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr.
>>
>> <[EMAIL PROTECTED]> wrote:
>>
>> > Hiram Chirino wrote:
>> >>
>> >> So the responsibility is still on us, the u
Trust me I'm not trying to be difficult..
On Thu, Sep 18, 2008 at 4:53 PM, William A. Rowe, Jr.
<[EMAIL PROTECTED]> wrote:
> Hiram, I wish you would desist already from debating positions that you
> can't defend...
>
> Hiram Chirino wrote:
>>
>> On Thu, Sep 18, 2008 at 3:07 PM, sebb <[EMAIL PROTEC
On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
> On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr.
>
> <[EMAIL PROTECTED]> wrote:
>
> > Hiram Chirino wrote:
> >>
> >> So the responsibility is still on us, the upstream distributor, to
> >> verify the the checksums we list in our sour
0. There were good reasons for both sides.
Regards,
Thomas
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Hiram, I wish you would desist already from debating positions that you
can't defend...
Hiram Chirino wrote:
On Thu, Sep 18, 2008 at 3:07 PM, sebb <[EMAIL PROTECTED]> wrote:
On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
So the responsibility is still on us, the upstream distributor,
> On Thu, Sep 18, 2008 at 11:17 AM, Daniel Kulp <[EMAIL PROTECTED]>
wrote:
>> > On Wednesday 17 September 2008 8:05:40 pm Henning Schmiedehausen
wrote:
>> >> > Thus:
>> >> > If the central maven repository maintainers (Maven PMC) decide
to put
>> >&
On Thu, Sep 18, 2008 at 3:07 PM, sebb <[EMAIL PROTECTED]> wrote:
> On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
>> On Thu, Sep 18, 2008 at 10:59 AM, sebb <[EMAIL PROTECTED]> wrote:
>> > On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
>> >> On Wed, Sep 17, 2008 at 9:42 PM, Willi
Right.. It's part of the source distro or SVN.
On Thu, Sep 18, 2008 at 3:10 PM, Jukka Zitting <[EMAIL PROTECTED]> wrote:
> Hi,
>
> On Thu, Sep 18, 2008 at 9:08 PM, sebb <[EMAIL PROTECTED]> wrote:
>>> The checksums are _not_ downloaded from the Maven reposit
On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr.
<[EMAIL PROTECTED]> wrote:
> Hiram Chirino wrote:
>>
>> So the responsibility is still on us, the upstream distributor, to
>> verify the the checksums we list in our source distro are correct.
>> But at least by doing this, down stream users of
Hi,
On Thu, Sep 18, 2008 at 9:08 PM, sebb <[EMAIL PROTECTED]> wrote:
>> The checksums are _not_ downloaded from the Maven repository.
>
> So where are they stored?
For example in our svn or signed source release packages. Along with
the source code.
>
> Using Hiram's plugin the checksums are already stored in the project
> that you're building and which you typically got either by checking it
> out of svn or by downloading a source release, both of which are
> separate from the Maven repository.
>
> Once you&#x
On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
> On Thu, Sep 18, 2008 at 10:59 AM, sebb <[EMAIL PROTECTED]> wrote:
> > On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
> >> On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
> >>
> >> <[EMAIL PROTECTED]> wrote:
> >>
> >> > S
ot either by checking it
out of svn or by downloading a source release, both of which are
separate from the Maven repository.
Once you've confident that the sources you have are not compromised,
the included checksums will verify that the dependencies that were
downloaded by Maven are also v
;
> > On Thu, Sep 18, 2008 at 11:17 AM, Daniel Kulp <[EMAIL PROTECTED]> wrote:
> > > On Wednesday 17 September 2008 8:05:40 pm Henning Schmiedehausen wrote:
> > >> > Thus:
> > >> > If the central maven repository maintainers (Maven PMC) decide to
> pu
Hiram Chirino wrote:
So the responsibility is still on us, the upstream distributor, to
verify the the checksums we list in our source distro are correct.
But at least by doing this, down stream users of our source distros
can rest assured that the dependencies that they are using are the
correc
On Thu, Sep 18, 2008 at 10:59 AM, sebb <[EMAIL PROTECTED]> wrote:
> On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
>> On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
>>
>> <[EMAIL PROTECTED]> wrote:
>>
>> > Similarly, the issue of signature validation is a significant flaw which
>>
p 18, 2008 at 11:17 AM, Daniel Kulp <[EMAIL PROTECTED]> wrote:
>> > On Wednesday 17 September 2008 8:05:40 pm Henning Schmiedehausen wrote:
>> >> > Thus:
>> >> > If the central maven repository maintainers (Maven PMC) decide to put
>> >> > incubator arti
Then they wouldn't want it. :-)
Dan
>
> thanks,
> dims
>
> On Thu, Sep 18, 2008 at 11:17 AM, Daniel Kulp <[EMAIL PROTECTED]> wrote:
> > On Wednesday 17 September 2008 8:05:40 pm Henning Schmiedehausen wrote:
> >> > Thus:
> >> > If th
, Daniel Kulp <[EMAIL PROTECTED]> wrote:
> On Wednesday 17 September 2008 8:05:40 pm Henning Schmiedehausen wrote:
>> > Thus:
>> > If the central maven repository maintainers (Maven PMC) decide to put
>> > incubator artifacts into their repository without a click throu
the two positions and found a better consensus.
>
> Here is what the 2 camps say:
> +1 : say:
>- We can not forbid the incubator artefact to be published in the
> maven repository. Once an incubating release is done, anyone is free
> to redistribute it.
>- It
On Thu, Sep 10, 2008 at 9:34 AM, "Jukka Zitting"
<[EMAIL PROTECTED]> wrote:
> Hi,
>
> We've had a number of long discussions about the incubating projects
> using the central Maven repository to distribute their releases. The
> current policy is that incuba
On Wednesday 17 September 2008 8:05:40 pm Henning Schmiedehausen wrote:
> > Thus:
> > If the central maven repository maintainers (Maven PMC) decide to put
> > incubator artifacts into their repository without a click through "this
> > is incubator code" discla
On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
> On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
>
> <[EMAIL PROTECTED]> wrote:
>
> > Similarly, the issue of signature validation is a significant flaw which
> > I also hope maven addresses even more promptly, and which they are aware
1 - 100 of 357 matches
Mail list logo
