On 12/10/15 18:09, Ian wrote: > On Mon, Oct 12, 2015 at 12:27 PM, Arne Babenhauserheide <[email protected]> > wrote: > >> Am Sonntag, 11. Oktober 2015, 20:37:32 schrieb Zlatin Balevsky: >>> Developers who care about their anonymity can force gradle or maven to >> use >>> a tor proxy >> Can we make Tor or repo-over-freenet the default for people who build >> freenet? > Since Freenet can (in theory) do it, I think it would be much better to use > Freenet from an "eat your own dogfood" perspective. I think the only > danger here is that we further complicate things for a developer trying to > get into the project.
On 11/10/15 16:35, Steve Dougherty wrote: > On 10/10/2015 04:14 PM, Matthew Toseland wrote: >> On 06/10/15 15:10, Ian Clarke wrote: >>> On Tue, Oct 6, 2015 at 4:39 AM, xor <[email protected]> wrote: > ... >> Deploying build-time dependencies via Gradle is not appropriate IMHO: It >> means updating them is *our* responsibility, and it increases our >> maintenance overheads as a result, and reduces the end-user's security. >> Updating JUnit etc is the distribution's responsibility, not ours. And >> anything that doesn't get updated is a security risk. > In what way does it make updating them our responsibility? Checksum > pinning does that inherently already. Charles linked to gradle-witness > and it looks like exactly what we're looking for: transitive dependency > checksum verification. https://github.com/WhisperSystems/gradle-witness I made a distinction between build-time-only dependencies, like JUnit or (probably) Mockito, versus run-time dependencies. We need to keep checksums for run-time dependencies anyway, and we may as well download them from Freenet if possible, and ask the user whether to get them from the WWW if that fails. However, JUnit should be installed via the packaging system if possible. And as Jack pointed out, we need a build script to handle all of this: - Download run-time dependencies and check checksums, either from Freenet or WWW (auto-detect Tor?). - Ask the user if this fails. Output an informative error message if we don't have a useful stdin. - Try to install build-time dependencies via package management (sudo apt-get install... etc). The second stage is this: Do we want to write a Gradle plugin to manage dependencies.properties? Essentially this would make adding external run-time dependencies significantly easier. The cost is we'd need to maintain a repository, including obtaining and checking signatures etc.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
