On Wed, 22 Aug 2012 09:59:11 +0200, Sander Mak <[email protected]> wrote:
For anyone interested in this discussion, I also posted a follow-up on
how
to actually verify Maven dependencies
http://branchandbound.net/blog/security/2012/08/verify-dependencies-using-pgp/
The situation is pretty dire as you can see: none of the Maven based
build
tools integrate this verification into their workflow, so it's all manual
(or use the commercial Nexus Pro repo manager).
Very valuable stuff, Sander. I think that the scripting solution you
propose could be as well used with a free Nexus installation, by having
the script running against the raw filesystem where Nexus stores stuff,
with a crontab. It's not the best approach, of course, but it's the first
automated solution that comes to my mind and provides actual protection.
The further step could be to provide those functions in a Maven plugin, so
everybody could at least run some security check on his own local repo.
--
Fabrizio Giudici - Java Architect, Project Manager
Tidalwave s.a.s. - "We make Java work. Everywhere."
[email protected]
http://tidalwave.it - http://fabriziogiudici.it
--
You received this message because you are subscribed to the Google Groups "Java
Posse" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/javaposse?hl=en.
