incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason van Zyl <>
Subject Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository
Date Tue, 07 Oct 2008 04:24:12 GMT

On 7-Oct-08, at 12:02 AM, Niclas Hedhman wrote:

> On Tue, Oct 7, 2008 at 11:47 AM, Jason van Zyl <>  
> wrote:
>> The central repository is the Maven PMC's business. What results  
>> will be
>> public policy but we'd like to avoid the banter of the misinformed  
>> so we can
>> arrive at a decision quickly.
> Yes, although the PMC is expected to do all non-sensitive discussion
> on the public dev@ list. But, so far I think the central repo has
> served the Java communities (not only Apache) very well. It allows
> sync'ing from other repository hosts, which has made life a lot easier
> for smaller projects.
> That said, I think that Maven should move away from a central
> repository, and instead go with distributed ones and possibly harness
> the power of search engines (Yahoo RDF?) to locate stuff everywhere.

This is already possible with Nexus (  
Nexus, or the Nexus CLI tool, produces a Lucene index which Nexus uses  
to create a federated searching and retrieval mechanism.

One instance of Nexus can proxy any other Maven repository -- a  
repository manager or normal webserver -- and with the presence of the  
Nexus index allows federated searching and retrieval of artifacts  
through that single instance. Some groups are already starting to  
provide Nexus indices:

This means you as a user can setup Nexus locally, create proxied  
repositories and get access to the contents of those repositories. So  
if everyone did this we could federate all the repositories around the  
world and then central just becomes a switchboard. This would be great  
as it would distribute the load around, but I think we still might  
want to collect everything in one place for safety.

> To be able to do that securely, some clever security mechanisms must
> first be developed, and since that is in line with security-concerned
> people, I think it is a good thing to do so. "How hard can it be?",
> considering the expertise around detailing the requirements almost at
> code level, right  ;-) ?

Mercury will support PGP validation, and we are building support for  
PGP into Nexus so the indices could be retrieved and validated, and  
subsequent retrieval of artifacts could then also be validated. The  
technology is pretty much there to do what you're asking for but  
producing the indices in all the repositories will take time. But  
people are doing because it also provides value in the IDEs.  
m2eclipse, Netbeans, and IDEA are already integrating Nexus index  
technology to provide full POM auto-completion support, and we also  
use the index to find Maven plugins, Maven archetypes, and flag  
artifacts as having sources, javadocs, and valid checksums and  
signatures. So people will create indices to get the value in IDEs and  
as a consequence federating everything is possible.

> Cheers
> Niclas
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:



Jason van Zyl
Founder,  Apache Maven
jason at sonatype dot com

We know what we are, but know not what we may be.

   -- Shakespeare

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message