+1 Hoss and thanks for framing that as well as you did. On Fri, Oct 31, 2025 at 12:18 PM Chris Hostetter <[email protected]> wrote:
> > IMO... > > Any discusion of a "Workaround" for checksum missmatches is intrinsically > a discussion of intentionally weaking the (very minimal) security we put > in place to ensure that people who run our code are using the same > third-party "bits" that we (as developers) have also run. > > (We may not have any confidence that those third-party "bits" aren't > malicious, but at least we know we're all using the same bits) > > > IMO... > > Any discussion of intentionally weaking that (very minimal) security > should be a non-starter. > > The only discussions we should be having around checks related to our > third-party jars should be about *increasing* security (applying the > checksum validation before letting gradle load those jars to run tests, > doing security scans of new versions before upgrading, etc...) > > > IMO... > > modules/cuvs should be completely ripped out of all Solr branches until > such time as: > > * cuvs related deps w/Completley *new* versions (or names) are "released" > * All cuvs related deps are released to trusted maven repos (SOLR-17938) > > ...if that means Solr 10 ges released w/o cuvs -- so be it. > > > -Hoss > http://www.lucidworks.com/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Anshum Gupta
