Hi Jacques, I would consider this to be the worst case scenario and no other solutions available. I would much rather pull this library from some remote location. So let's try to find a solution there first because adding the library this way adds a lot of complexity to both the build script, build time, dependencies, etc ...
Taher Alkhateeb On Aug 24, 2016 10:04 AM, "Jacques Le Roux" <[email protected]> wrote: > We did not get an answer yet, but Taher suggested another possibility: > gradle-repositories-plugin on GitHub. It's not yet evaluated but could be a > workaround, my only concern is stability in time... > > Jacques > > > Le 22/08/2016 à 22:09, Jacques Le Roux a écrit : > >> Hi Eirik, >> >> We have decided to use notsoserial to provide security for our users >> https://cwiki.apache.org/confluence/display/OFBIZ/The+infamo >> us+Java+serialization+vulnerability >> >> We recently moved from Ant to Gradle. After this discussion >> http://markmail.org/message/ppxjeagqrwx6tkj3 (you don't need to read it, >> just a cross reference for us ;)) we thought to ask you if you would mind >> pushing notsoserial to jcenter repo? >> >> The reason is it's better for us to have you taking care of that rather >> than having to create a fork and update on your changes. I guess it would >> help other projects as well. I know some other Top Level Apache Projects >> (TLP) are also relying on notsoserial. >> >> I hope it's not too much to ask. I saw that you seems to be in vacation >> https://twitter.com/eirbjo we are not in a hurry (the cinnamon roll >> seems quite weird to me :)) >> >> Best regards >> >> Jacques >> >> >
