[Building Sakai] Wrong or inexistant checksums for some dependencies
Aaron Zeckoski
azeckoski at unicon.net
Sat Feb 4 06:56:09 PST 2012
That depends on who you talk to. For Matterhorn we maintained every
library we used as a mirror in case anything happened to the ones in
the central repo. This is a practice that some groups recommend (and
it can be a good bit faster IF your local repo is faster than maven
central).
On the other hand, there is the cost of the extra storage and
bandwidth and the cost of putting the libraries in there in the first
place to consider. Since artifacts don't change over time (or
shouldn't) it is really just the time to add the library once (which
should be just be a single maven command).
-AZ
On Sat, Feb 4, 2012 at 12:56 AM, Steve Swinsburg
<steve.swinsburg at gmail.com> wrote:
> Is there a need for us to maintain third party libraries in our maven repo if they are in central? I'd suggest they be removed if possible.
>
> Cheers
> Steve
>
> Sent from my iPhone
>
> On 04/02/2012, at 4:34, Colin Hebert <colin.hebert at oucs.ox.ac.uk> wrote:
>
>> Hello all,
>>
>> I tried to build sakai using the '---strict-checksums' option in maven
>> and I had troubles with some dependencies having either a checksum
>> different than the expected one (from the sha-1 file) or no sha-1 to
>> verify against.
>>
>> Most of these dependencies are available on the maven repository at
>> source.sakaiproject.org/maven2.
>>
>> Here is a list of the concerned dependencies (affecting my build):
>>
>> http://source.sakaiproject.org/maven2/batik/batik/1.5-fop-0.20-5/
>> http://source.sakaiproject.org/maven2/fop/fop/20070301/
>> http://source.sakaiproject.org/maven2/ical4j/ical4j/1.0-rc2/
>> http://source.sakaiproject.org/maven2/javax/activation/activation/1.0.2/
>> http://source.sakaiproject.org/maven2/javax/jms/jms/1.1/
>> http://source.sakaiproject.org/maven2/javax/mail/mail/1.3.1/
>> http://source.sakaiproject.org/maven2/javax/transaction/jta/1.0.1B/
>> http://source.sakaiproject.org/maven2/jsf/jsf-api/1.1.01/
>> http://source.sakaiproject.org/maven2/jsf/jsf-impl/1.1.01/
>> http://source.sakaiproject.org/maven2/jta/jta/h2.1.8/
>> http://source.sakaiproject.org/maven2/net/sf/jsmath/jsmath/3.3g/
>> http://source.sakaiproject.org/maven2/net/sf/jsmath/jsmath-fonts/1.3/
>> http://source.sakaiproject.org/maven2/OKI/OkiOSID/2.0/
>> http://source.sakaiproject.org/maven2/org/apache/commons/xml-resolver/1.2/
>> http://source.sakaiproject.org/maven2/org/azeckoski/reflectutils/0.9.15/
>> http://source.sakaiproject.org/maven2/org/opensymphony/quartz/quartz/1.6.6/
>> http://source.sakaiproject.org/maven2/portlet-api/portlet-api/1.0.1/
>> http://source.sakaiproject.org/maven2/rome/itunes/0.3/
>> http://source.sakaiproject.org/maven2/tomcat/catalina/tomcat-5.5.33/
>> http://source.sakaiproject.org/maven2/tomcat/catalina-optional/tomcat-5.5.33/
>> http://source.sakaiproject.org/maven2/tomcat/naming-resources/tomcat-5.5.33/
>> http://source.sakaiproject.org/maven2/tomcat/jmx/tomcat-5.5.33/
>> http://source.sakaiproject.org/maven2/zing/cql-java/0.7/
>>
>> There was also one from repo1 (net.sf.json-lib:json-lib:jar:jdk15:2.3).
>>
>> This could be be fixed to improve security; and for projects without
>> sha-1 file, it will avoid corrupted downloads.
>>
>> Cheers,
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>
>> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
--
Aaron Zeckoski - Software Architect - http://tinyurl.com/azprofile
More information about the sakai-dev
mailing list