On Fri, 23 Mar 2012 22:21:20 +0100, Greg Reddin <[email protected]> wrote:

On Fri, Mar 23, 2012 at 3:09 PM, Sander Mak <[email protected]> wrote:

This is where organizations like the Apache Software Foundation are
helpful. Apache frowns upon projects that don't make releases every so
often, so you're likely to have a somewhat recent release of an apache
product. It's up to you and your dependent software projects to ensure
you're using the later releases.

Really? For instance, Apache Batik latest release (1.7) is from Jan 2008, AFAIK (even though I see commits up to nine months ago):

http://xmlgraphics.apache.org/batik/download.cgi


But in the end, we can't rely on Maven, Nexus, Apache, nor anyone else
to do our due diligence for us. If our project includes a few dozen
jars pulled in from who knows where (as do most) we must check the
provenance of the bits we're including. Who does that? I know I don't
do that enough.

Premising that it's really an interesting thread, I don't think Maven (or similar tools which auto-download dependencies) has got a specific problem. If you build with And and download libraries in a manual mode, you're experiencing the same risks. The problem, in fact, is downloading stuff, not the way you do. At least Maven centralizes the process and you can do something - I mean you can set up checks in a standard way for everything you need, instead of being forced to manually e.g. check fingerprints searching for reference values in hundreds of different places. As Sander said, then it's up to you to do the due diligence.

--
Fabrizio Giudici - Java Architect, Project Manager
Tidalwave s.a.s. - "We make Java work. Everywhere."
[email protected]
http://tidalwave.it - http://fabriziogiudici.it

--
You received this message because you are subscribed to the Google Groups "The Java 
Posse" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Reply via email to