On Fri, 23 Mar 2012 22:21:20 +0100, Greg Reddin <[email protected]> wrote:
On Fri, Mar 23, 2012 at 3:09 PM, Sander Mak <[email protected]> wrote: This is where organizations like the Apache Software Foundation are helpful. Apache frowns upon projects that don't make releases every so often, so you're likely to have a somewhat recent release of an apache product. It's up to you and your dependent software projects to ensure you're using the later releases.
Really? For instance, Apache Batik latest release (1.7) is from Jan 2008, AFAIK (even though I see commits up to nine months ago):
http://xmlgraphics.apache.org/batik/download.cgi
But in the end, we can't rely on Maven, Nexus, Apache, nor anyone else to do our due diligence for us. If our project includes a few dozen jars pulled in from who knows where (as do most) we must check the provenance of the bits we're including. Who does that? I know I don't do that enough.
Premising that it's really an interesting thread, I don't think Maven (or similar tools which auto-download dependencies) has got a specific problem. If you build with And and download libraries in a manual mode, you're experiencing the same risks. The problem, in fact, is downloading stuff, not the way you do. At least Maven centralizes the process and you can do something - I mean you can set up checks in a standard way for everything you need, instead of being forced to manually e.g. check fingerprints searching for reference values in hundreds of different places. As Sander said, then it's up to you to do the due diligence.
-- Fabrizio Giudici - Java Architect, Project Manager Tidalwave s.a.s. - "We make Java work. Everywhere." [email protected] http://tidalwave.it - http://fabriziogiudici.it -- You received this message because you are subscribed to the Google Groups "The Java Posse" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
