This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 5d2ee2e9c0 Abandoned: Dependency verification (OFBIZ-12186)
5d2ee2e9c0 is described below
commit 5d2ee2e9c076d33c3cca0655992914c948a602ba
Author: Jacques Le Roux <[email protected]>
AuthorDate: Fri Mar 13 17:51:11 2026 +0100
Abandoned: Dependency verification (OFBIZ-12186)
Forgot to remove sy-dependency-verification.adoc and the link from
security.adoc
---
.../_include/sy-dependency-verification.adoc | 64 ----------------------
framework/security/src/docs/asciidoc/security.adoc | 1 -
2 files changed, 65 deletions(-)
diff --git
a/framework/security/src/docs/asciidoc/_include/sy-dependency-verification.adoc
b/framework/security/src/docs/asciidoc/_include/sy-dependency-verification.adoc
deleted file mode 100644
index 72cb897ab6..0000000000
---
a/framework/security/src/docs/asciidoc/_include/sy-dependency-verification.adoc
+++ /dev/null
@@ -1,64 +0,0 @@
-////
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements. See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership. The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License. You may obtain a copy of the License at
-
-http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing,
-software distributed under the License is distributed on an
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-KIND, either express or implied. See the License for the
-specific language governing permissions and limitations
-under the License.
-////
-
-= Gradle Dependency Verification
-The Apache OFBiz Project
-Release trunk
-
-CAUTION: This feature is for now disabled. You may use it locally if you
want...
-
-
-
-https://docs.gradle.org/current/userguide/dependency_verification.html[Here is
the Gradle documentation about dependency verification]
-
-As it's a long read you might prefer this summary:
-
-NOTE: the dependency verification is an incubating feature. So we will wait
before backporting from trunk...
-
-By default OFBiz comes with OOTB Gradle dependency verification.
-
-This means that it embeds a verification-metadata.xml file and a
verification-keyring.gpg in OFBiz gradle sub-directory which is used during
builds and other tasks to verify dependencies.
-
-These files are initially created using :
-
-TIP: gradlew --write-verification-metadata pgp,sha256 help +
-gradlew --write-verification-metadata pgp,sha256 --export-keys
-
-These command creates or updates the verification-metadata.xml and
verification-keyring.gpg files which respectively contains the checksums for
each of declared dependencies and the related keys
-
-
-Currently the status is it's incomplete in OFBiz. You get this message:
-
-* Some artifacts aren't signed or the signature couldn't be retrieved.
-* Some signature verification failed. Checksums were generated for those
artifacts but you MUST check if there's an actual problem. Look for entries
with the following comment: PGP verification failed
-PGP verification failed
-
-Only 6 keys are concerned. This does not prevent the verification to work
using metadata, though it's better to check the situation in case of doubts (OK
OTTB). You may use
-
-TIP: gradlew build --refresh-keys
-
-To recreate the keys
-
-The verification-metadata.xml file contains 2 entries that can be set to true
or false to check or ignore the 2 functionalities:
-
-IMPORTANT: <verify-metadata>true</verify-metadata> +
-<verify-signatures>true</verify-signatures>
-
-
-Finally, you may refer to https://issues.apache.org/jira/browse/OFBIZ-12186
for more information.
diff --git a/framework/security/src/docs/asciidoc/security.adoc
b/framework/security/src/docs/asciidoc/security.adoc
index 11f20f2523..bb2d65f570 100644
--- a/framework/security/src/docs/asciidoc/security.adoc
+++ b/framework/security/src/docs/asciidoc/security.adoc
@@ -43,4 +43,3 @@ For that you may take as an example to follow
https://issues.apache.org/jira/bro
include::_include/sy-password-and-JWT.adoc[leveloffset=+1]
include::_include/sy-CSRF-defense.adoc[leveloffset=+1]
include::_include/sy-impersonation.adoc[leveloffset=+1]
-include::_include/sy-dependency-verification.adoc[leveloffset=+1]
