Open Whisper Systems has developed a Gradle plugin for verifying hard coded checksums against dependencies.[1] They are also another example of a project using a custom Maven repo hosted on Github.[2]
-Charles [1] https://github.com/WhisperSystems/gradle-witness [2] https://github.com/WhisperSystems/maven On 10/2/15 8:48 AM, Steve Dougherty wrote: > On 10/02/2015 08:29 AM, Victor Denisov wrote: >>>> How about a custom Maven repo with checked/approved dependencies only? >>>> Creating a Maven repo is trivial if a Web server is already running; and >>>> it can also be done in a GitHub repo - though GitHub certainly wasn't >>>> designed for such a use, I know a couple of projects which host their >>>> repos this way without problems. >>> While that could offer useful amounts of control, it seems likely to be >>> against typical usage / culture around Maven, and unless I'm missing >>> something wouldn't provide checksum / signature verification at time of use. >> I wouldn't say that it is contrary to Maven culture (a lot of >> open-source projects - i.e., Vaadin - run custom repos, and, of course, >> many larger companies with proprietary code run custom repos as well). >> The issue of signature verification should be researched further - I >> know there's a Maven plugin which can check dependency signatures at >> build time; but of course most of the libraries out there aren't signed >> - so maintainers will have to provide their own signatures (one more >> point for running a custom repo). > Unless I'm missing something the ant build is doing less verification > than I thought. It looks like it's verifying the downloaded freenet-ext > jar against a SHA-1 downloaded from the same server. [0] (As opposed to > from the repo.) > > I'd be perfectly happy with verifying against checksums committed to the > repository, for instance. > > [0] https://github.com/freenet/fred/blob/next/build.xml#L54 > > > > _______________________________________________ > Devl mailing list > Devl@freenetproject.org > https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
