Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[MRESOLVER-269] [MRESOLVER-275] Trusted checksums source and more com…
…pact format backed source (s4u#199) This PR implements several improvement issues: * introduces "trusted" checksums source (and adapts them for provided transport checksums) * pushed/moved existing implementation as "trusted" source and introduces "compact" (file) based source * cleanup re naming: before it was "file" source, now there is "file-sparse" (old) and "file-compact" (new) * also adds minor "cleanup" in AetherModule (stylistic, renames provider private vars and makes them unmodifiable). This does not affects consumer of this library that use sisu (like Maven). Reason: existing `ProvidedChecksumSource` is all about _transport_ (see API). Uses transport related classes and is meant -- as it's name and package says -- to provide expected checksums for transport related checks (it provides ChecksumKind#PROVIDED, uses RemoteRepository and transfer related classes). OTOH, there may be requirement to "provide" checksums for operations totally unrelated to transport. Hence, the introduced trusted checksums (using non transport related API) is exactly that, provides checksums for given Artifact (optionally factoring in origin as well in form of ArtifactRepository). This clearly separates "transport realm" and rest of the things. Along with existing (moved) source, new trusted checksums implementation added that uses more compact format: a "summary" file that contains list of Artifact IDs and checksum per one line. This format is more VCS friendly, and also easier to handle then sparse directories. By default, new "trusted" checksum sources _are adapted_ to "provided" checksum sources (see `TrustedToProvidedChecksumsSourceAdapter`), so no functionality loss happens. Perfomed cleanup around trusted checksum sources as well, old one was in wrong place and wrongly named, dropped it (as it was final class), and now we have two sources: * `sparse-directory` -- behaves exactly same as dropped one, expects provided checksums in "local repo"-like sparse layout * `summary-file` -- is the new format, where one file `checksums.${checksumExt}` is expected to contain Artifact ID and checksum for given algorithm per line (separated by space) Both source are able to be "origin aware" when it factors in origin repository ID as well (so one could get `checksums-central.sha1` with all the known trusted checksums for use). Sources are DISABLED by default, as even if file is present (check possible only for file-compact) it does not mean user want to use it in every project. Enabling them is possible via usual means (`-D...` or by config in `.mvn` directory to make it per-project persistent). All configuration is sourced from repo system session, no system properties used. Based on work done in apache/maven-resolver#192 Co-authored-by: @raphw <rafael.wth@gmail.com> --- https://issues.apache.org/jira/browse/MRESOLVER-275 -- Introduce trusted checksums source https://issues.apache.org/jira/browse/MRESOLVER-269 -- Allow more compact storage of provided checksums
- Loading branch information