Developers who care about their anonymity can force gradle or maven to use a tor proxy
On Sun, Oct 11, 2015 at 4:35 PM, Steve Dougherty <[email protected]> wrote: > On 10/10/2015 04:14 PM, Matthew Toseland wrote: > > On 06/10/15 15:10, Ian Clarke wrote: > >> On Tue, Oct 6, 2015 at 4:39 AM, xor <[email protected]> wrote: > ... > > Deploying build-time dependencies via Gradle is not appropriate IMHO: It > > means updating them is *our* responsibility, and it increases our > > maintenance overheads as a result, and reduces the end-user's security. > > Updating JUnit etc is the distribution's responsibility, not ours. And > > anything that doesn't get updated is a security risk. > > In what way does it make updating them our responsibility? Checksum > pinning does that inherently already. Charles linked to gradle-witness > and it looks like exactly what we're looking for: transitive dependency > checksum verification. https://github.com/WhisperSystems/gradle-witness > > > _______________________________________________ > Devl mailing list > [email protected] > https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl > _______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
