maven-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Manfred Moser" <>
Subject Re: Source code verification/compliance with Maven?
Date Thu, 09 May 2013 15:21:26 GMT
Correct. The other thing you want to ensure is your acquisition of the
jar. With Nexus (and other repo managers probably) you can connect to the
https secured version of Central and enforce checksum verification so you
can be sure that any component you get into the repo manager is the same
as upstream.

This avoid the problem of building from source as you suggest since this
is very often extremely difficult (just as the Debian folks or other Linux
distros that try to rebuild everything from sources.. its a HUGE task).

Sonatype CLM includes integration with Nexus, Eclipse IDE and
Jenkins/Hudson as well as a backend server to define rules and more.


PS: Disclaimer I work with Sonatype on their documentation ..

> Well, I know that Sonatype has a product they have been pretty aggressive
> with called CLM.
> CLM shows both vulnerabilities and license threats -- including undefined
> licenses...  Perhaps that is what you need?
> Thanks,
> Roy Lyons
> On 5/9/13 4:15 AM, "Daniel Pocock" <> wrote:
>>There is a lot of confusion about the distinction between software that
>>is free (like malware in app stores) and software that is really free
>>with open source code.
>>Several people have asked me how they can be sure that a Maven build
>>(including all downloaded plugins) only uses genuine open source
>>software, and that the binary downloads are identical to the source
>>releases.  There are many users that want to build projects from source
>>code in clean, non-networked environments.
>>How can somebody tell Maven to
>>a) recursively download source JARs for all plugins and dependencies
>>(and their build plugins) and compile them one by one?
>>b) stop if any source JAR contains binary artifacts or if a
>>dependency/plugin source is not available?
>>c) put all downloaded source in some kind of tree where it can be tarred
>>up, copied onto a DVD and then built by a machine that is offline?
>>I'm aware of the command "mvn dependency:sources", but this only appears
>>to fetch the sources on a best effort basis and doesn't appear to
>>compile them.
>>To unsubscribe, e-mail:
>>For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message