On Wed, Sep 30, 2015 at 6:48 AM, Matthew Toseland <[email protected] > wrote: > > Checking a signature or at least a checksum is basic due diligence for > security-related software. It's not supported reliably by Maven, > apparently for business reasons.
I haven't looked at it in-depth, but Gradle has something that appears to be signing support: https://docs.gradle.org/current/userguide/signing_plugin.html Without a thorough audit of dependencies' source code, and their dependencies source code, and so on, not to mention maybe even the JRE's source code, all of this concern for digital signatures on binaries is security theatre IMHO. And if we can't or won't keep up with modern development tools then we're going to severely limit who will contribute to the project, something we can scarcely afford to do. A modern Java developer will want to use modern Java development tools. Ian. _______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
