nikgoodley-ibboost / maven-external-dependency-plugin

Automatically exported from code.google.com/p/maven-external-dependency-plugin
0 stars 0 forks source link

Check if the artifact isn't already hosted on maven repo #6

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
This is a bit wilder idea, but I think would be a nice add to your plugin,
specially if you really wanna follow that line of not screwing up the
artifacts already hosted on maven repo.

Let's say users put an entry to download an artifact.

And this artifact checksum is 'dcab88fc2a043c2479a6de676a2f8179e9ea2167' it
could be know ahead if user did inform this or calculated after the
artifact doesn't really matter.

Now, let's say user gave this artifact the following GAV
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
<version>1.5</version>

But this checksum bellows to an artifact with a different GAV:
http://repository.sonatype.org/service/local/data_index?sha1=dcab88fc2a043c2479a
6de676a2f8179e9ea2167

I think you could use sonatype rest API to validate that.  And I would say
to fail the build if the artifact is already hosted on a know maven
repository.... specially if it's GAV doesn't match the repository GAV.

VELO

Original issue reported on code.google.com by velo...@gmail.com on 11 Feb 2010 at 11:05

GoogleCodeExporter commented 9 years ago
Look like I can only create defects.... =/

Original comment by velo...@gmail.com on 11 Feb 2010 at 11:07

GoogleCodeExporter commented 9 years ago

Original comment by savage7....@gmail.com on 13 Feb 2010 at 12:33

GoogleCodeExporter commented 9 years ago
Velo,

I looked at the sonatype rest API, and when trying to access the query that 
would 
search for artifacts by checksum, it would prompt me for credentials.  So, I'm 
not sure 
ths is an open API, it may require user credentials to access.  

Original comment by savage7....@gmail.com on 13 Feb 2010 at 12:35

GoogleCodeExporter commented 9 years ago
Hrmmm.... it should be public, since anyone can access their site and send 
requests for chelsums....

Original comment by velo...@gmail.com on 13 Feb 2010 at 2:33

GoogleCodeExporter commented 9 years ago
Ok, so I have been able to get a few SHA1 requests working without 
authentication.  
Have not been successful with MD5 yet, no auth prompts, but no success response 
return either.  

http://repository.sonatype.org/service/local/identify/sha1/46fc7b53d0fd5b4a13455
0417d
aa76696d68e4d0

http://repository.sonatype.org/service/local/identify/sona:md5/b6b0928bbf9b3a9a4
25f7b
2687aa37bd

Original comment by savage7....@gmail.com on 13 Feb 2010 at 8:08

GoogleCodeExporter commented 9 years ago
I think the search is sha1 only, at least I never tried it as md5

Original comment by velo...@gmail.com on 13 Feb 2010 at 10:38

GoogleCodeExporter commented 9 years ago
Velo,

I started working on this logic and I have run into a question.  I have 
calculated 
the SHA1 checksum and I am getting the REST XML results returned from Sonatype. 

Under what conditions do you think the build should fail?  

Obviously if no artifacts are returned in the resulting XML, then it is OK to 
continue and not fail the build.  If 1 or more artifacts are returned in the 
XML 
results what should I do?  Should I iterate over the returned artifacts list 
and look 
for artifacts listed under the same group ID and artifact ID and fail if that 
is 
found?  Or should I fail the build if any artifacts are returned in the REST 
query?  
Is it possible that another project could end up with the same checksum?  

Thank You,
Robert

Original comment by savage7....@gmail.com on 26 Mar 2010 at 1:13

GoogleCodeExporter commented 9 years ago
I agree with you, if no artifacts are available just let it be.

If anything is found (most likely only one result will be found), I see 2 work 
flow:
a) if the GAV match, so let it be
b) if the GAV are different, print the list of artifacts you found and fail the 
build
due the fact this artifact is getting duplicated

> Is it possible that another project could end up with the same checksum? 
Almost impossible, it is a fingerprint technic, should be unique for each file.

Original comment by velo...@gmail.com on 26 Mar 2010 at 1:22

GoogleCodeExporter commented 9 years ago
implemented in version 0.2-SNAPSHOT
example of invalid artifact is included in the test project's POM file, but it 
is 
commented out.  

Original comment by savage7....@gmail.com on 26 Mar 2010 at 6:48

GoogleCodeExporter commented 9 years ago
From what I learned with Flexmojos I would:
a) not make possible to skip checksum verification, or
b) make it only skippable using an arg on command line (
-Dexternal.dependency.unsafely.install.artifacts)

Why is that, people tend to screw their build and to ignore warning on output.  
On
example that happen with me was that Flexmojos printed a warning and break the 
build
when people build a project using Flex 4 compiler and Flex 3 libraries.  This 
will
obviously go wrong, but people just the skipCompilerVerification to true and 
then
complain flexmojos doesn't work....

Anyway, just a suggestion

Original comment by velo...@gmail.com on 26 Mar 2010 at 11:34