maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dominik Bartholdi <d...@fortysix.ch>
Subject Re: Model Version 5.0.0
Date Tue, 25 Mar 2014 05:36:54 GMT
For this, there is already an enforcer rule available: https://github.com/gary-rowe/BitcoinjEnforcerRules
Domi

On 24.03.2014, at 20:31, Martijn Dashorst <martijn.dashorst@gmail.com> wrote:

> On Mon, Mar 24, 2014 at 8:06 PM, Stephen Connolly <
> stephen.alan.connolly@gmail.com> wrote:
> 
>> I see the checksums then as being another potential side artifact... No
>> need for modelVersion 5.0.0
>> 
> 
> I see it differently: the checksum validates the GAV coordinates. "I mean
> 'com.example.foo:foo:1.0', specifically verify that it matches this
> signature 'sha1:1234567890abcdef'.
> 
> For example, this enables me to check if a different version of an artefact
> was uploaded to the same GAV than I expected (and reportedly the original
> author too).
> 
> A plugin right now could capture them and deploy to repo, and you could
>> have same plugin verify the resolved dependencies against the same file.
>> 
> 
> This assumes the whole chain of parties is to be trusted. That nobody will
> try to side-load a version from a different repository.
> 
> I find the idea of adding a checksum to a dependency interesting. While I
> don't care for the extra fields in the POM, it opens a better venue of
> vetting the dependencies.
> 
> Martijn


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org


Mime
View raw message