Can you specify dependency checksums in Apache Ivy? - ant

I'm curious if there's a way to specify a checksum value for dependencies in an ivy.xml file.
For example, I have the following dependency:
<dependency org="org.hibernate" name="hibernate-core" rev="3.5.6-Final"
force="true"/>
Would it be possible for me to do something like this?
<dependency org="org.hibernate" name="hibernate-core" rev="3.5.6-Final"
checksum="10249177261810a3ba8f3b9a468d06e0" force="true"/>
The primary reason I want to do this is for security, to ensure that the dependency on the remote repository has not been changed when I pull it down in the future. I would like to check it against the checksum value in my own ivy.xml file instead of that on the remote host.

Take a look at Artifactory or Nexus. These are local Maven repositories that can download jars from the various third party repositories.
Both can be set to cache remote artifacts locally and not to redownload them once downloaded. This will solve your problem of a jar in a remote repository being changed.

The primary purpose of checksums in ivy (and Maven for that matter) is to ensure that the download worked correctly and the file was not corrupted in transit or storage.
"checksum" attribute on resolvers
Description of checksums in ivy
The only ivy functionality that use checksums for security checking is the packager resolver. This makes sense since the packager repository files are designed to be hosted separately to the source files.
So in conclusion, the best solution is to following David's advice and deploy a Maven repository manager within your network. Sonatype have recently offered SSL connectivity to Maven Central, which additionally protects you against remote repository spoofing.

Related

How to get Ivy to not delete a file (or include it locally)

My project is build by Ant/Ivy. Ivy is deleting a library (self made) that I need and I don't have a repo for it. How do I configure my ivy that it either doesn't delete files that are not specified OR make a local dependency on the ivy cache?
For Ivy, any dependency has to come from a 'resolver'. So even if you don't have a classical remote repository to host a self made library, you should "publish" that library in a repository.
Ivy is very flexible on how to resolve dependencies in a repository. For a simple adhoc library dependency, you can set a specific folder in your project to be a local repository, and have Ivy resolve dependencies in there.
In your ivysettings.xml, you should then add a resolver for a 'local' folder in which you can put your library:
<ivysettings>
<resolvers>
<filesystem name="local-libs">
<artifact pattern="local/[module]/[artifact].[ext]"/>
</filesystem>
</resolvers>
</ivysettings>
With this piece of settings, considering that in the ivy.xml file of your project you have also declared a dependency on that self made library, Ivy will resolve the dependency tree properly.
More options on a local filesystem resolver can be found in the documentation: https://ant.apache.org/ivy/history/2.5.0/resolver/filesystem.html

How to stop maven from downloading some jar files from repositorty

I am modifying the hadoop source code but when I do a compile in maven it downloads from the maven repository, which is causing problems as my changes are not always be used.
How can I get maven to not download some files from the repository at all, and just use what is in the local classpath?
I am using maven 3.0.4
The best way is to give to "hadoop source code" a different SNAPSHOT version or a different artifactId and refer to it.
However, I think it is a stupid answer.
You can set local settings to offline=true. http://maven.apache.org/ref/3.0.3/maven-settings/settings.html;
or use a repository manager (sucha as Nexus) http://maven.apache.org/repository-management.html and deploy to Repository
Update these properties inside of your POM file to disable updates of your dependencies.
enabled: true or false for whether this repository is enabled for the
respective type (releases or snapshots).
updatePolicy: This element specifies how often updates should
attempt to occur. Maven will compare the local POM's timestamp
(stored in a repository's maven-metadata file) to the remote. The
choices are: always, daily (default), interval:X (where X is an
integer in minutes) or never.
POM Reference - MAVEN Site

Grails - How to make ivy-cache folder structure the same as maven repository folder structure? [duplicate]

The ivy local repository is in ~/.ivy2, and I'd like to use it as my local maven respoitory. Is there any easy way like setting to do it ?
I suspect what you're trying to do is share ivy's cache, not it's local repository. Files are placed in ivy's repository by calling the publish task. Ivy has a clear storage distinction between these file types:
~/.ivy2/cache
~/.ivy2/local
Maven on the other hand mixes up both file types under the following directory:
~/.m2/repository
It would be a lot simpler to optimize your caching by installing a Maven repository manager like Nexus and configuring Maven and Ivy to use it. Nexus is a very efficient java process and simple to setup on your development machine.
Finally if you are determined to share caches, you could attempt to use the caches directive in the ivy settings file. It has "ivyPattern" and "artifactPattern" directives which suggest one can customize how the cached files are stored. To make this work you'll have to customize ivy. Maven has no flexibility in this area.

add local jars to ivy build script

I am working on an existing application that uses ivy to manage dependencies, and the source comes with ivy.xml and ivysettings.xml files. I am trying to add my own jar to the build. What would be the easiest way to do this?
I tried adding a dependency to ivy.xml and I am not sure how to configure the repository directories. Maybe there are easy ways to do this? Any quick and dirty way will do.
The filesystem resolver in conjunction with the chain resolver should help you, assuming that you can modify the ivysettings.xml that you just inherited.
You can store your jars locally on your machine under your Local Ivy cache or your Shared Ivy cache. I believe it's $HOME/.ivy2/local and $HOME/.ivy2/shared and its in the same format as the $HOME/.ivy2/cache directory. If you use <ivy:publish/> Ant task to push your local jars to your local repository, they'll be accessible to all of your projects.
However, I recommend biting the bullet and doing things ...what's the technical term? oh yeah... The correct way.
Go ahead and setup a project wide Ivy/Maven repository where you can fetch your local jars the same way you fetch your third party jars. This way, there is no difference between your local jars, and the third party jars you're using. No one has to think where a particular Jar is located or adjust their Ivy configuration to get one jar or another.
Download either Nexus or Artifactory. You can set these repositories up so that all the third-party jars and your local jars are available as if they're all stored in the same server. You can even add in other jar repositories that are not centrally located.
I recommend Loughran's book Ant in Action. It has an excellent chapter on using Ivy. You can also look at my ivy.dir to see how I configure Ivy, so it's easily accessible to all of our projects.

Is the [conf] token respected when publishing files using Ivy?

I'm learning Ivy (http://ant.apache.org/ivy/) and integrating it as part of our build process. It's going pretty well, but I'm stuck on something with the Ivy publish task. Specifically, I'd like to publish to the local repository with the following pattern (which includes the name of the current configuration):
${ivy.local.default.root}/[organisation]/[module]/[revision]/[type]s/[conf]/[artifact].[ext]
So I set up my custom resolver:
<filesystem name="modifiedLocalRepo">
<ivy pattern="${ivy.local.default.root}/[organisation]/[module]/[revision]/[type]s/[conf]/[artifact].[ext]" />
<artifact pattern="${ivy.local.default.root}/[organisation]/[module]/[revision]/[type]s/[conf]/[artifact].[ext]" />
</filesystem>
And configured the publish task:
<ivy:publish
settingsRef="ivy.ext.settings.custom" <!--Location of definition of modifiedLocalRepo-->
resolver="modifiedLocalRepo"
artifactspattern="bin/Debug/[module].[ext]"
pubrevision="1.1-Test"
overwrite="true"
conf="primary"
/>
And have the conf defined in the ivy.xml file:
<info organisation="Mine" module="Dependency"/>
<configurations defaultconf="primary"> <!--Don't think defaultconf should be necessary-->
<conf name="primary"/>
</configurations>
<publications>
<artifact name="Dependency" ext="dll" type="bin" conf="primary"/>
<artifact name="Dependency" ext="pdb" type="bin" conf="primary"/>
</publications>
I have the process working, ivy configured, resolved, the project building, and the artifacts published (using my custom resolver above). But the [conf] token is always resolving to "default." So the published directory has the structure:
\.ivy2\local\Mine\Dependency\1.1-Test\bins\default\
instead of the structure
\.ivy2\local\Mine\Dependency\1.1-Test\bins\primary\
I've been tinkering around with it, setting the conf value, defaultconf value, etc. everywhere they are valid but it's always "default."
I'm using ant to do the build, and have run in debug mode (-d), inspected the output and noticed nothing useful. I've looked through the output of <echoproperties\> and noticed nothing useful. I've read through the Ivy documentation and only found use of [conf] as a token in retrieve and report output.
I can attach the full xml files I'm using to do my limited test build if it would be useful.
Is the [conf] token valid/respected in the artifact pattern for an Ivy publish? If so, what am I missing? Thanks!
Update:
Was using Ivy 2.3.0-rc2 and decided to try to roll back and use Ivy 2.0.0. Same issue.
Take a look at my Ivy project in github. I set it up, so you can easily add it into an existing Ant project.
We use a Maven repository, so I have it setup to create a pom.xml, and then use mvn deploy:deploy-file to deploy it back to the Maven repository. We use Jenkins for our build, so we use Jenkins to run the mvn deploy-file to do the deployment. I guess we could use <ivy:publish>, but never really tried it.

Resources