On 10/02/2015 08:29 AM, Victor Denisov wrote: >>> How about a custom Maven repo with checked/approved dependencies only? >>> Creating a Maven repo is trivial if a Web server is already running; and >>> it can also be done in a GitHub repo - though GitHub certainly wasn't >>> designed for such a use, I know a couple of projects which host their >>> repos this way without problems. >> >> While that could offer useful amounts of control, it seems likely to be >> against typical usage / culture around Maven, and unless I'm missing >> something wouldn't provide checksum / signature verification at time of use. > > I wouldn't say that it is contrary to Maven culture (a lot of > open-source projects - i.e., Vaadin - run custom repos, and, of course, > many larger companies with proprietary code run custom repos as well). > The issue of signature verification should be researched further - I > know there's a Maven plugin which can check dependency signatures at > build time; but of course most of the libraries out there aren't signed > - so maintainers will have to provide their own signatures (one more > point for running a custom repo).
Unless I'm missing something the ant build is doing less verification than I thought. It looks like it's verifying the downloaded freenet-ext jar against a SHA-1 downloaded from the same server. [0] (As opposed to from the repo.) I'd be perfectly happy with verifying against checksums committed to the repository, for instance. [0] https://github.com/freenet/fred/blob/next/build.xml#L54
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
