On Fri, 2015-10-02 at 08:48 -0400, Steve Dougherty wrote: > On 10/02/2015 08:29 AM, Victor Denisov wrote: > > > > How about a custom Maven repo with checked/approved > > > > dependencies only? > > > > Creating a Maven repo is trivial if a Web server is already > > > > running; and > > > > it can also be done in a GitHub repo - though GitHub certainly > > > > wasn't > > > > designed for such a use, I know a couple of projects which host > > > > their > > > > repos this way without problems. > > > > > > While that could offer useful amounts of control, it seems likely > > > to be > > > against typical usage / culture around Maven, and unless I'm > > > missing > > > something wouldn't provide checksum / signature verification at > > > time of use. > > > > I wouldn't say that it is contrary to Maven culture (a lot of > > open-source projects - i.e., Vaadin - run custom repos, and, of > > course, > > many larger companies with proprietary code run custom repos as > > well). > > The issue of signature verification should be researched further - > > I > > know there's a Maven plugin which can check dependency signatures > > at > > build time; but of course most of the libraries out there aren't > > signed > > - so maintainers will have to provide their own signatures (one > > more > > point for running a custom repo). > > Unless I'm missing something the ant build is doing less verification > than I thought. It looks like it's verifying the downloaded freenet > -ext > jar against a SHA-1 downloaded from the same server. [0] (As opposed > to > from the repo.) > > I'd be perfectly happy with verifying against checksums committed to > the > repository, for instance. > > [0] https://github.com/freenet/fred/blob/next/build.xml#L54 >
It's not as braindead as it sounds; The data and checksums used to come off different servers... Emu was redirecting the data download request to the mirror network Florent
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
