On Wed, 17 Nov 2004 14:05:35 +0100, Stefan Bodewig <[EMAIL PROTECTED]> wrote: > On Tue, 16 Nov 2004, Steve Loughran <[EMAIL PROTECTED]> wrote: > > > I dont think security checking of Md5 checksums should be voluntary; > > While I agree with this in principal, implementing it may be difficult > since the Maven-like repo at www.apache.org holds .MD5 files (or .md5 or > .md5sum) that have been created by different tools and thus have > different formats.
Do you mean the repository under <http://www.apache.org/dist/> ? I would like to make a repository type to handle it, but it doesn't show much consistency. For example, just comparing three java projects: ant, bcel, and struts, their versioned binaries are located at: ant/binaries/apache-ant-1.6.2-bin.tar.gz jakarta/bcel/binaries/bcel-5.1.tar.gz struts/binaries/jakarta-struts-1.2.2.tar.gz the only thing that you can count on is the existence of the binaries directory and the version extension. You could consider ant to have group/artifact as "ant/apache-ant" and struts to have "struts/jakarta-struts" but bcel has an extra layer: "jakarta/bcel/bcel" Now there are workarounds here, but it sure doesn't make things easy- and the paths tend to change over time. The ibiblio repository works because it has a well-defined and consistent structure. The apache repository does not seem to, even ignoring the checksum algorithm problem. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
