Most functionality provided by Spring Roo ships with the distribution ZIP. Accordingly the Maven and shell script processes used to produce a Roo distribution ZIP ensure common bundles are incorporated into the distribution ZIP file. These common bundles are obtained from several locations, including simply compiling them (ie they're part of Roo), downloading them from Maven Central, and the wrapping infrastructure (
ROO-977). Because such JARs ship in the distribution ZIP, they are installed by the user and do not need to present PGP detached signatures as is applied to the add-on security model ( ROO-1092).
At present a number of new add-ons are being developed and these add-ons have a variety of additional bundle dependencies. As these new add-ons and their associated bundle dependencies are not planned to ship with Spring Roo, these new add-ons and their associated bundle dependencies will be subjected to the PGP-based add-on security model. In particular this means an .asc PGP signature is required for each bundle, and the bundle needs to be present in an OBR repository.xml file for indexing by RooBot.
In accordance with
ROO-2059, any bundles under http://spring-roo-repository.springsource.org are automatically detected and included in its OBR repository.xml file. This makes it easy for add-ons to use dependencies in that OBR file. If the bundles are signed using a PGP key that is automatically trusted by Roo key stores by default (ie the core Roo developers), this will installation of such bundles even easier for most users.
It is therefore intended to publish OSGi complaint bundles at http://spring-roo-repository.springsource.org/bundles. This directory will contain bundles that are:
- Not produced by Spring Roo or its wrapping infrastructure
- OSGi compliant (ie they have a properly-formed, valid manifest that has correct exports and imports)
- Obtained from a relevant third-party Maven Repository or download (generally without any subsequent modification)
- Not "wrapped" as per
ROO-977(wrapped JARs are located in a separate repository and have an org.springframework.roo.wrapping group ID)
- Signed using a PGP key that Roo installations trust by default
It is important to understand http://spring-roo-repository.springsource.org/bundles is NOT intended to be a Maven repository or location where Spring Roo project-created bundles are stored. It IS intended to be a location where common non-Roo OSGi bundles can be signed and placed for convenient incorporation into Roo's main OBR repository.xml.
Generally to use this resource, a Spring Roo developer will:
- Create an add-on
- Edit Roo's /pom.xml and include the new dependency in the dependency management section (ie version range, exclusions etc)
- Edit the add-on's pom.xml and include the new dependency so it is incorporated into the build classpath
- Run a build, causing the new dependency to download from a standard Maven repository
- Load roo-dev and "osgi ps" to ensure the bundle resolved correctly, inspect its manifest.mf by hand etc
- Use the new deployment-support/misc-bundle.deploy.sh script to sign and upload the bundle to spring-roo-repository/bundles (use -d to perform a dry run that doesn't actually complete the upload)
- Edit deployment-support/roo-deploy.sh to ensure undesired JARs are not included in the release ZIP
An example of the command to upload the "spring-web" bundle is:
It is possible to browse the currently-uploaded bundles using http://s3browse.springsource.com/browse/spring-roo-repository.springsource.org/bundles/
After a period of time the uploaded bundle will be indexed and visible in the http://spring-roo-repository.springsource.org/repository.xml and http://spring-roo-repository.springsource.org/repository.xml.zip file (see
ROO-2059 for details of this automated process).
This ticket is primarily to note the philosophy and intended operation of the new http://spring-roo-repository.springsource.org/bundles location and record instructions to Roo developers on how to use it.