On Wed, 2018-01-10 at 21:36 +0000, Matthew Toseland wrote: > On 10/01/18 21:15, Florent Daigniere wrote: > > On Wed, 2018-01-10 at 21:10 +0000, Matthew Toseland wrote: > > > So what is going on, and why? > > > > > > > > > > What's happening is that Arne is refusing to move forward... and > > keeps > > releasing off the old release tools and Ant. > > > > The rest of the team has been working on next (I've done most of the > > current gradle support, including deterministic builds, ... steve > > has > > been working on the release tools, ...) > > So you are checking the hashes of the downloaded components? > > I thought Gradle was just an evolution of Maven, with all the problems > that implies: Recursively pulling random JAR files, with very little > authentication, pay-for-only signature checking, and a guarantee that > everyone who uploaded those JARs hasn't paid for that feature. In > other > words, malware galore. > > If that's the world that Gradle takes Freenet into, then I can > entirely > understand why Arne would have a problem with it. > >
We do check the hashes of downloaded components... and produce reproducible jars by default. https://github.com/freenet/fred/blob/next/build.gradle#L227 Security is clearly not the concern here. Florent
signature.asc
Description: This is a digitally signed message part
