On Fri, Apr 12, 2013 at 11:07 AM, Fabian Christ <[email protected]> wrote: > ...this is only a temporarily solution, right? I just want to > understand why it is okay in this case. The repo is under control of > Restlet Inc. So it is a private repo of a company. We had the same > situation in the past (during incubation) with other dependencies and > had to remove all third party repos....
I don't remember the details of those past discussions - IMO there are two things: 1) Are the dependencies ok in terms of license 2) Are we ok with depending on a private repo for our builds IIRC the problem with dependencies we removed was 1) more than 2), and IIUC 1) is ok for the restlet stuff. About 2) I agree that in theory owners of private repos could inject bad stuff in the binaries that one gets from there...but we don't have any guarantee that that won't happen with a central repository either ;-) I agree that this should be a temporary solution however, backed by a jira issue so we don't forget to fix it. -Bertrand
