[
https://issues.apache.org/jira/browse/TIKA-3648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17477407#comment-17477407
]
Tim Allison commented on TIKA-3648:
-----------------------------------
We used to do this. It was a pain for folks trying to build earlier tags
locally. See TIKA-2980.
The build can also break during the release process, which is less than
entirely fun.
I've documented in the Tika release notes that the release manager should turn
it on to ensure a clean build at the point in time right before running the
release.
I'm not -1 on this. I willing to give it a try again, but I did want to
document that we used to do this and made the choice to turn it off.
> Fail build if ossindex-maven-plugin violation is detected
> ---------------------------------------------------------
>
> Key: TIKA-3648
> URL: https://issues.apache.org/jira/browse/TIKA-3648
> Project: Tika
> Issue Type: Improvement
> Components: build, security
> Affects Versions: 2.2.1
> Reporter: Lewis John McGibbney
> Assignee: Lewis John McGibbney
> Priority: Critical
> Fix For: 2.2.2
>
>
> The ossindex-maven-plugin can really assist us in detecting and preventing
> security vulnerabilities and also mitigating associated risk and exposure.
> I propose to fail the build if ossindex-maven-plugin violation is detected
> https://github.com/apache/tika/blob/main/tika-parent/pom.xml#L639
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
