On Thursday, March 27, 2014 7:16:36 AM UTC-7, Aaron Cohen wrote: > If "version" doesn't end in "-SNAPSHOT", then lein (deferring to the way maven works) > will retrieve that dependency to your local $HOME/.m2/repository/not-really-trusted-package/version > directory, and never update it again (because it doesn't have a SHAPSHOT suffix).
This is correct; Clojars had a policy change a while back to completely ban re-deploys to the same non-snapshot version. If you pull something down from Clojars and inspect the jar file, you can rely on always getting the same version back in the future, barring a break-in to the server. If that's the threat model you're worried about, you would need to check the signatures on the jar with `lein deps :verify`, but that functionality is somewhat immature at the moment. -Phil -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
