I agree with Taher: it better to push this library yourself (if no support is coming from the original providers) to the external repo and pull from there, than adding additional complexities in the build for just 1 library. The latter will have bigger consequences down the line.
Having pushed the library yourself to the external repo doesn't mean you will be responsible for the maintenance of its code. You just make it available in generally accepted ways. Like others have done before you with exotics. Best regards, Pierre Smits ORRTIZ.COM <http://www.orrtiz.com> OFBiz based solutions & services OFBiz Extensions Marketplace http://oem.ofbizci.net/oci-2/ On Wed, Aug 24, 2016 at 9:38 AM, Taher Alkhateeb <[email protected] > wrote: > Hi Jacques, > > I would consider this to be the worst case scenario and no other solutions > available. I would much rather pull this library from some remote location. > So let's try to find a solution there first because adding the library this > way adds a lot of complexity to both the build script, build time, > dependencies, etc ... > > Taher Alkhateeb > > On Aug 24, 2016 10:04 AM, "Jacques Le Roux" <[email protected]> > wrote: > > > We did not get an answer yet, but Taher suggested another possibility: > > gradle-repositories-plugin on GitHub. It's not yet evaluated but could > be a > > workaround, my only concern is stability in time... > > > > Jacques > > > > > > Le 22/08/2016 à 22:09, Jacques Le Roux a écrit : > > > >> Hi Eirik, > >> > >> We have decided to use notsoserial to provide security for our users > >> https://cwiki.apache.org/confluence/display/OFBIZ/The+infamo > >> us+Java+serialization+vulnerability > >> > >> We recently moved from Ant to Gradle. After this discussion > >> http://markmail.org/message/ppxjeagqrwx6tkj3 (you don't need to read > it, > >> just a cross reference for us ;)) we thought to ask you if you would > mind > >> pushing notsoserial to jcenter repo? > >> > >> The reason is it's better for us to have you taking care of that rather > >> than having to create a fork and update on your changes. I guess it > would > >> help other projects as well. I know some other Top Level Apache Projects > >> (TLP) are also relying on notsoserial. > >> > >> I hope it's not too much to ask. I saw that you seems to be in vacation > >> https://twitter.com/eirbjo we are not in a hurry (the cinnamon roll > >> seems quite weird to me :)) > >> > >> Best regards > >> > >> Jacques > >> > >> > > >
