The only way that you could in good conscience claim to have a trusted build to those standards is to maintain your own clone of the project locally and build directly from that using the commit number specified in the GeoTools, GeoWebCache and GeoServer release notes. Obviously, you'll want to check all of the code and the commits that have been made to it since the last release to make sure nothing malicious has been added to it. And don't forget to check all the dependencies we build on top of as anyone of them could contain an issue too. If you do find anything please use our responsible disclosure procedure to let us know so we can apply your fix to benefit everyone else.
I guess it depends on how much paranoia your company wants to pay for. Ian On Wed, 7 Oct 2020 at 15:07, galebellego <galebellego....@orange.com> wrote: > Hi, > > I use and deploy geoserver (through the war file) within a company that has > high (and mostly legitimate) concerns about security. > > Currently, geoserver stable / maintenance / .. versions can only be > downloaded through *SourceForge*. > I know that, those latest 4 years, SF made great effort toward reliability, > especially when they decided to terminate the DevShare program. > Unfortunately the trust here is hard to build back, and it's still too soon > to be allowed to use SF to download any kind of artefact for production > purpose. > > Alternately, I could go to https://build.geoserver.org/geoserver/2.17.x/.. > and download a SNAPSHOT, but although the URL is trusted, I would like to > be > able to choose a specific version (for traceability purpose), and not a > SNAPSHOT version. > > Thus, I am wondering if there is safe / trusted place where I could > download > some specific stable release of geoserver? > > > > > > > > ----- > Gaƫl LB > -- > Sent from: > http://osgeo-org.1560.x6.nabble.com/GeoServer-User-f3786390.html > > > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > -- Ian Turton
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users