maven-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Pocock <>
Subject Source code verification/compliance with Maven?
Date Thu, 09 May 2013 09:15:32 GMT


There is a lot of confusion about the distinction between software that
is free (like malware in app stores) and software that is really free
with open source code.

Several people have asked me how they can be sure that a Maven build
(including all downloaded plugins) only uses genuine open source
software, and that the binary downloads are identical to the source
releases.  There are many users that want to build projects from source
code in clean, non-networked environments.

How can somebody tell Maven to
a) recursively download source JARs for all plugins and dependencies
(and their build plugins) and compile them one by one?
b) stop if any source JAR contains binary artifacts or if a
dependency/plugin source is not available?
c) put all downloaded source in some kind of tree where it can be tarred
up, copied onto a DVD and then built by a machine that is offline?

I'm aware of the command "mvn dependency:sources", but this only appears
to fetch the sources on a best effort basis and doesn't appear to
compile them.



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message