Well, comparing a signed jar with an unsigned jar for equality will take quite a bit of time. Do you have a quick way of doing that? (let me know :-)) That's why I'm leaning towards not spending time on it at this stage even if the (presumably) equivalent signed jar can be found in Maven Central.
On Tue, Oct 31, 2017 at 12:16 PM, Matthias Bläsing < mblaes...@doppel-helix.eu> wrote: > Hey Lars, > > Am Dienstag, den 31.10.2017, 11:56 +0100 schrieb Lars Bruun-Hansen: > > > > Some external jars in the old NetBeans build have been stripped of their > > signatures. Why? > > > > See Matthias' comment here: > > https://github.com/apache/incubator-netbeans/pull/118# > issuecomment-336624270 > > > > In general: How much should I try to find the external binary in some > repo? > > I had some bad expiriences with BouncyCastle JARs. It turned out, that > the jars were mixed from different versions. I'm a bit fuzzy if the > cause were sealed packages or the signatures. > > As long as the signed JARs work I'm all for using them. I just pointed > out that it could cause problems. > > If the signed jar is identical (apart from the signatures) or tested I > don't see a problem switching. > > Greetings > > Matthias >
