Nahh.. you misinterpret what I am saying (probably a fault of my communication)... when it is not a day I have taken as vacation time I will explain in more detail
On 25 March 2014 08:55, Baptiste Mathus <[email protected]> wrote: > FWIW, I'm aware it's easily feasible to add that checksum validation in a > plugin, but you'll still have to repeat the coordinates. > And that very thing was my point: I don't think having to repeat those > coordinates to add metadata is great. > > Not even saying this *must* go in modelVersion 5, I just wanted that debate > to happen at least for future reference if people wonder why maven pom > can't store that dependency metadata (DRY'ly alongside its data, I mean). > > Cheers > > > 2014-03-25 6:36 GMT+01:00 Dominik Bartholdi <[email protected]>: > > > > > For this, there is already an enforcer rule available: > > https://github.com/gary-rowe/BitcoinjEnforcerRules > > Domi > > > > On 24.03.2014, at 20:31, Martijn Dashorst <[email protected]> > > wrote: > > > > > On Mon, Mar 24, 2014 at 8:06 PM, Stephen Connolly < > > > [email protected]> wrote: > > > > > >> I see the checksums then as being another potential side artifact... > No > > >> need for modelVersion 5.0.0 > > >> > > > > > > I see it differently: the checksum validates the GAV coordinates. "I > mean > > > 'com.example.foo:foo:1.0', specifically verify that it matches this > > > signature 'sha1:1234567890abcdef'. > > > > > > For example, this enables me to check if a different version of an > > artefact > > > was uploaded to the same GAV than I expected (and reportedly the > original > > > author too). > > > > > > A plugin right now could capture them and deploy to repo, and you could > > >> have same plugin verify the resolved dependencies against the same > file. > > >> > > > > > > This assumes the whole chain of parties is to be trusted. That nobody > > will > > > try to side-load a version from a different repository. > > > > > > I find the idea of adding a checksum to a dependency interesting. > While I > > > don't care for the extra fields in the POM, it opens a better venue of > > > vetting the dependencies. > > > > > > Martijn > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > > > -- > Baptiste <Batmat> MATHUS - http://batmat.net > Sauvez un arbre, > Mangez un castor ! >
