On 8/25/07, Martin Cooper <[EMAIL PROTECTED]> wrote: > On 8/25/07, Phil Steitz <[EMAIL PROTECTED]> wrote: > > > > On 8/25/07, Noel J. Bergman <[EMAIL PROTECTED]> wrote: > > > Martin Cooper wrote: > > > > > > > > GUMP builds are deemed non-trusted, since GUMP downloads from > > > > > non-ASF sites and includes them in builds without any vetting > > > > > of the third party dependencies. > > > > > > > True, but it's not clear that everything in the public Maven repo > > > > should be considered as "vetted" either. > > > > > > Exactly. Maven continues to be remiss in delivering on their goal of > > > ensuring authenticated packages. I view anyone who uses the public > > Maven > > > repository as being foolish; competent Maven users have their own > > private > > > repositories. > > > > > > And, yes, the corollary that GUMP is building from the latest of > > everything > > > is another key reason not to use it for nightly builds. > > > > > > > Another reason is that it is a little easier for us to manage > > "publication" of the CI artifacts using Continuum / vmbuild. We can > > publish both jars and zips/tarballs to a local maven repo on vmbuild > > and set up rsynch to people.apache.org, eliminating some of the > > ugliness in the bash setup. > > > > So can I get some feedback on the "what to publish" question? > > > I'd say #1. The nightly builds are purely a convenience. If someone really > needs something prior to the most recent nightly, they should be able to > build it themselves, and it's not clear that us picking an arbitrary number > would provide what they need in any case.
+1. #1 Most successful build only. Hen --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
