On 10/02/2015 07:56 AM, Victor Denisov wrote: >> As long as we can pin dependencies with checksums or something to be >> sure what jars are used, if nothing else for auditable build purposes, >> I'm up for moving. ant does add some complexity because running "ant" >> doesn't work without reading the README.building / adding the >> dependency-fetching argument. > > How about a custom Maven repo with checked/approved dependencies only? > Creating a Maven repo is trivial if a Web server is already running; and > it can also be done in a GitHub repo - though GitHub certainly wasn't > designed for such a use, I know a couple of projects which host their > repos this way without problems.
While that could offer useful amounts of control, it seems likely to be against typical usage / culture around Maven, and unless I'm missing something wouldn't provide checksum / signature verification at time of use.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl