On 10/10/2015 04:14 PM, Matthew Toseland wrote: > On 06/10/15 15:10, Ian Clarke wrote: >> On Tue, Oct 6, 2015 at 4:39 AM, xor <x...@freenetproject.org> wrote: ... > Deploying build-time dependencies via Gradle is not appropriate IMHO: It > means updating them is *our* responsibility, and it increases our > maintenance overheads as a result, and reduces the end-user's security. > Updating JUnit etc is the distribution's responsibility, not ours. And > anything that doesn't get updated is a security risk.
In what way does it make updating them our responsibility? Checksum pinning does that inherently already. Charles linked to gradle-witness and it looks like exactly what we're looking for: transitive dependency checksum verification. https://github.com/WhisperSystems/gradle-witness
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl