IMO...
Any discusion of a "Workaround" for checksum missmatches is intrinsically a discussion of intentionally weaking the (very minimal) security we put in place to ensure that people who run our code are using the same third-party "bits" that we (as developers) have also run. (We may not have any confidence that those third-party "bits" aren't malicious, but at least we know we're all using the same bits) IMO... Any discussion of intentionally weaking that (very minimal) security should be a non-starter. The only discussions we should be having around checks related to our third-party jars should be about *increasing* security (applying the checksum validation before letting gradle load those jars to run tests, doing security scans of new versions before upgrading, etc...) IMO... modules/cuvs should be completely ripped out of all Solr branches until such time as: * cuvs related deps w/Completley *new* versions (or names) are "released" * All cuvs related deps are released to trusted maven repos (SOLR-17938) ...if that means Solr 10 ges released w/o cuvs -- so be it. -Hoss http://www.lucidworks.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
