1. A developer for a project will first make an application for upload
priviledges by creating a JIRA which contains the following information:
Refer to the upload-application.txt file.
2. One of the PMC members needs to process the application which means:
- installing the gpg public key on beaver.codehaus.org
- placing the application form in some private location for record keeping
- notify the applicant they are setup
1. User creates a bundle using the 'create-upload-bundle' goal in the repository
plugin. The bundle would include:
- pointer to a checksum (ben suggested sha1)
2. Bundle is pushed to a specified location, in our case beaver.codehaus.org where
it sits to be processed.
3. Bundle is verified with the retrieved checksum.
- if verification fails we send mail to the nag email address
4. Bundle is unpacked and placed in a syncing directory where the ibiblio
folks can retrieve to update the central repository.
Allowing project's to upload the same version of the bundle should be
prohibited. I think it can often happen that mistakes are made but an
artifact should never be overwritten with something that claims to be the
same version. We can easily track this on the intermediary machine and send
a notice to the project's mailing list when this occurs asking them to make
a patch release or whatnot.