I took *freenet-official* and ran it through Maven, findbugs and Sonar. I offlined a couple of screenshots ( https://github.com/SebastianWeetabix/fred-maven/blob/master/freenetsonar1.png, https://github.com/SebastianWeetabix/fred-maven/blob/master/freenetsonar2.png), and the top five layers of the Sonar reports for builds 1362 thru 1367 at https://github.com/SebastianWeetabix/fred-maven/blob/master/Sonar.zip.
Reading through the concern about potential poisoning of maven repo', and that could have some type of effect on a build that would get distributed, looking at the report, just like any app, the biggest security holes are the one that are introduced into the source code by accident: Logic errors; Faulty design; Lack of documentation; Brittle implementation. Sonar throws some light on these pre-existing inherent security issues. The repo poisoning issue is a canard - Maven checks the hashes and sig's, plus you can spec your own repo if you are that concerned. Also, the archives being used in Freenet are probably built using Maven. Another big plus with reorging the build, apart from making the structure easier to grok, simpler and more consistent to build (3K XML build file vs. >20K XML build file, *contrib *would be trivial too), is that newbies can put their arms around it and start contributing quicker and with more confidence; There will be more eyes on the code, find and weeding out the historic flaws, providing more velocity to the project. SW
_______________________________________________ Devl mailing list Devl@freenetproject.org http://freenetproject.org/cgi-bin/mailman/listinfo/devl
