ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <>
Subject Re: repository
Date Tue, 26 Oct 2004 22:44:43 GMT
On Tue, 26 Oct 2004 16:14:39 -0400, Russell Gold <>
> On Tue, 26 Oct 2004 00:17:06 +0100, Steve Loughran <>
> >
> > I have just committed a repository task. In theory it will support
> > repositories other than maven, but there is only maven support right
> > now.
> >
> > <getlibraries destDir="${lib.dir}">
> >     <mavenrepository/>
> >     <library archive="commons-logging"
> >         project="commons-logging" version="1.0.1"/>
> > </getlibraries>
> How does this compare with
> <>, which has been listed
> on the external tools page for several weeks - a task which, when I
> offered it two months ago, was rejected with the comment that such
> tasks don't belong in ant proper?

I like yours better :)

Seriously, I like how you have done the trick of making the dependency
graph a classpath reference that can be used; very slick. I'd thought of
that, but hadnt put any effort in thinking how to do it.

Also <dependencies> is a better (more declarative) name for what you are

One thing that I think could also be included is the ability for every
library/dependency to (optionally) declare a resource or class that must
exist. That way you don't just download things, you can probe to verify
that the files are vaguely correct. 

I must have missed the info on your task; the only one that I knew about
was the Krysalis work, and of course Maven itself. I wrote this up
fairly quickly and stuck it in to provide a focal point for repository
access; this is also why I checked it in before it was working fully.
Now is the time to fix what I have started; we have until Axis1.7 ships

So if you want to merge what I've done with your code, let's go for it.
Same for anyone else who wants to contribute. 

I am particularly worried about security, and would really like to have
the maven checksum verification, with jar signature verification
alongside. What we are going to build is effectively very-very-close to
java webstart, and we don't want to expose too many security risks on
developers' systems. As it stands, a DNS subversion of a major ISP would
let you run malicious code on everyone downstream. 


ps, gmail ads are pointing me at the fact that InstallShield can now run
ant during the install phase. We really are everywhere :)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message