On Thu, Jan 31, 2013 at 12:59 PM, Matthew Toseland < t...@amphibian.dyndns.org> wrote:
> On Thursday 31 Jan 2013 17:50:32 Michael Grube wrote: > > On Thu, Jan 31, 2013 at 11:36 AM, Ian Clarke <i...@freenetproject.org> > wrote: > > > This is despite the fact that no such compromise as ever occurred on > any > > > project that I'm aware of, and since we don't do code audits of > Freenet's > > > current dependencies, our current approach doesn't immunize us against > it > > > anyway. > > Have you actually tried to find out? > If by "try" you mean a quick Google<https://www.google.com/webhp?sourceid=chrome-instant&ion=1&ie=UTF-8#hl=en&tbo=d&sclient=psy-ab&q=maven%20repository%20compromise&oq=&gs_l=&pbx=1&fp=eba5ecb19bdd79c3&ion=1&bav=on.2,or.r_gc.r_pw.r_cp.r_qf.&bvm=bv.41642243,d.b2I&biw=1371&bih=983>search, then yes. If we run our own repository: > - We need to maintain it. This is more unnecessary work. > Not a lot, probably less than dealing with the freenet-ext.jar mess. > - We need to host it. This is more CPU usage on the small, cheap, rather > limited VM that runs the website etc. > It won't use significant CPU or bandwidth, only developers will access it, and Maven caches dependencies locally. > But most importantly, we need it to be reasonably easy to *develop Freenet > anonymously*. This is not a theoretical aspiration. There are anonymous > developers today, and some of them are extremely productive at times. > They can use a Tor proxy. > Exactly what problem are you trying to solve here? It's really not that > hard to build Freenet. Granted it should be easier; the immediate problem > is you need not only freenet-ext.jar (which the build scripts will fetch > for you if you set one line in a config file; the first time you run ant it > will tell you this), but also the bouncycastle jar, which isn't > auto-fetched. > I'm trying to bring us into 2013, Maven is virtually a standard Java tool these days. freenet-ext.jar has to be built, has to be kept up-to-date. It's basically an ugly home-grown dependency management solution. Originally there were no alternatives, but now there are, and there are easy solutions to the problems that you've outlined with it. Ian. -- Ian Clarke Personal blog: http://blog.locut.us/
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl