We should include JNA so we can use the patch to reduce Freenet's disk I/O priority on Windows. We can include this via auto-update as a separate jar. However, the official jar is apparently built via Maven. We could include the official jar on the theory that while Maven doesn't really meet our security requirements (there is still no download/compile time verification of anything?), it's not only our problem if it's compromised. Or we could try to figure out how to build it without Maven.
Or perhaps Maven has improved since we last looked into it? IIRC Maven does some signature verification when you upload to their repository, but doesn't check signatures or hashes. I'm not sure whether or not it downloads binary dependencies over plain HTTP or HTTPS? https://bugs.freenetproject.org/view.php?id=4982
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
