Thanks Dominik. The fact that gradlew does not verify what it is downloading is
one reason I don't use it in any of my projects (e.g. Smack). But I don't like
the approach of the gradle wrapper anyways...
As a related side note: I really would love to see built-in artifact
verification against an expected hash (for stable non-changing artifacts) or a
GPG key used to sign the artifact, built-in in gradle. See also
http://discuss.gradle.org/t/how-can-i-verify-the-openpgp-signature-or-hash-of-artifacts-against-an-expected-one/9319
It appears the industry does use artifact signatures mostly (only?) when
importing artifacts in a company intern repository (artifactory). Not when
building a project.
- Florian
_______________________________________________
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email: [email protected]
