On Thu, Jan 31, 2013 at 11:36 AM, Ian Clarke <[email protected]> wrote:
> I was thinking about the fact that we still build Freenet using the tools > that were available to us a decade ago, while the Java world has moved on > to more sophisticated dependency management tools like Maven. > > I recall that the reason for not using Maven is that it doesn't operate > over a secure connection, and it leaves us open to the compromise of any of > Freenet's dependencies Maven repositories. > > This is despite the fact that no such compromise as ever occurred on any > project that I'm aware of, and since we don't do code audits of Freenet's > current dependencies, our current approach doesn't immunize us against it > anyway. > > However, one approach that might alleviate this concern is that we run our > own Maven repository which will host any dependencies we need, and then > configure Maven not to pull from the central Maven repos. > > > > There is the other issue that Maven can be a PITA to use, however there > are similar alternatives: http://www.streamhead.com/maven-alternatives/ > > > Thoughts? > > > Maven's really not that bad. If people are absolutely terrified about depedencies being compromised, maybe make a quick script to do a checksum on the dependencies once they're donwloaded. > > > Ian. > > -- > Ian Clarke > Founder, The Freenet Project > Email: [email protected] > > _______________________________________________ > Devl mailing list > [email protected] > https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl >
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
