>> How about a custom Maven repo with checked/approved dependencies only? >> Creating a Maven repo is trivial if a Web server is already running; and >> it can also be done in a GitHub repo - though GitHub certainly wasn't >> designed for such a use, I know a couple of projects which host their >> repos this way without problems. > > While that could offer useful amounts of control, it seems likely to be > against typical usage / culture around Maven, and unless I'm missing > something wouldn't provide checksum / signature verification at time of use.
I wouldn't say that it is contrary to Maven culture (a lot of open-source projects - i.e., Vaadin - run custom repos, and, of course, many larger companies with proprietary code run custom repos as well). The issue of signature verification should be researched further - I know there's a Maven plugin which can check dependency signatures at build time; but of course most of the libraries out there aren't signed - so maintainers will have to provide their own signatures (one more point for running a custom repo). Regards, Victor Denisov. _______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl