On 30/04/11 21:31, [email protected] wrote: > I took *freenet-official* and ran it through Maven, findbugs and Sonar. I > offlined a couple of screenshots ( > https://github.com/SebastianWeetabix/fred-maven/blob/master/freenetsonar1.png, > https://github.com/SebastianWeetabix/fred-maven/blob/master/freenetsonar2.png), > and the top five layers of the Sonar reports for builds 1362 thru 1367 at > https://github.com/SebastianWeetabix/fred-maven/blob/master/Sonar.zip. >
thanks, I will have a look. > Reading through the concern about potential poisoning of maven repo', and > that could have some type of effect on a build that would get distributed, > looking at the report, just like any app, the biggest security holes are the > one that are introduced into the source code by accident: Logic errors; > Faulty design; Lack of documentation; Brittle implementation. Sonar throws > some light on these pre-existing inherent security issues. The repo we know. you don't need to defend maven with these points. however, verifying downloaded dependencies is absolutely necessary. we need to be able to trust the source code we build against. > poisoning issue is a canard - Maven checks the hashes and sig's, plus you > can spec your own repo if you are that concerned. Also, the archives being > used in Freenet are probably built using Maven. > can you please point me towards official maven documentation that describes this? I have been unable to find it myself. for example, the official maven repo only contains checksums, and these are distributed over insecure HTTP: http://repo1.maven.org/maven2/org/xlightweb/xlightweb/2.13.2/ > Another big plus with reorging the build, apart from making the structure > easier to grok, simpler and more consistent to build (3K XML build file vs. >> 20K XML build file, *contrib *would be trivial too), is that newbies can > put their arms around it and start contributing quicker and with more > confidence; There will be more eyes on the code, find and weeding out the > historic flaws, providing more velocity to the project. > > SW > -- GPG: 4096R/5FBBDBCE _______________________________________________ Devl mailing list [email protected] http://freenetproject.org/cgi-bin/mailman/listinfo/devl
