Good point. Or we could mirror the repos in Freenet, more dogfoody. On Sun, Oct 11, 2015 at 2:37 PM, Zlatin Balevsky <[email protected]> wrote:
> Developers who care about their anonymity can force gradle or maven to use > a tor proxy > > On Sun, Oct 11, 2015 at 4:35 PM, Steve Dougherty <[email protected]> > wrote: > > > On 10/10/2015 04:14 PM, Matthew Toseland wrote: > > > On 06/10/15 15:10, Ian Clarke wrote: > > >> On Tue, Oct 6, 2015 at 4:39 AM, xor <[email protected]> wrote: > > ... > > > Deploying build-time dependencies via Gradle is not appropriate IMHO: > It > > > means updating them is *our* responsibility, and it increases our > > > maintenance overheads as a result, and reduces the end-user's security. > > > Updating JUnit etc is the distribution's responsibility, not ours. And > > > anything that doesn't get updated is a security risk. > > > > In what way does it make updating them our responsibility? Checksum > > pinning does that inherently already. Charles linked to gradle-witness > > and it looks like exactly what we're looking for: transitive dependency > > checksum verification. https://github.com/WhisperSystems/gradle-witness > > > > > > _______________________________________________ > > Devl mailing list > > [email protected] > > https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl > > > _______________________________________________ > Devl mailing list > [email protected] > https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl _______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
