For this, there is already an enforcer rule available: https://github.com/gary-rowe/BitcoinjEnforcerRules Domi
On 24.03.2014, at 20:31, Martijn Dashorst <[email protected]> wrote: > On Mon, Mar 24, 2014 at 8:06 PM, Stephen Connolly < > [email protected]> wrote: > >> I see the checksums then as being another potential side artifact... No >> need for modelVersion 5.0.0 >> > > I see it differently: the checksum validates the GAV coordinates. "I mean > 'com.example.foo:foo:1.0', specifically verify that it matches this > signature 'sha1:1234567890abcdef'. > > For example, this enables me to check if a different version of an artefact > was uploaded to the same GAV than I expected (and reportedly the original > author too). > > A plugin right now could capture them and deploy to repo, and you could >> have same plugin verify the resolved dependencies against the same file. >> > > This assumes the whole chain of parties is to be trusted. That nobody will > try to side-load a version from a different repository. > > I find the idea of adding a checksum to a dependency interesting. While I > don't care for the extra fields in the POM, it opens a better venue of > vetting the dependencies. > > Martijn --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
