If Maven or some other tool decides to update one of the selected jars used by my project, it can introduce a version marked as a high security risk. That's something I can't allow.
You define a specific library version in your dependency management tool. There are also tools for Maven/Gradle that verify dependency signatures against a list of trusted signatures defined manually in the build script. That way you can make sure your download from Maven central / jcenter is the one you expect to download.
Here an example of using Gradle with signature verification: https://docs.gradle.org/current/userguide/dependency_verification.html
-- J.
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/5315bf85-07aa-4efe-bdb8-f8316dec5695o%40googlegroups.com.
No comments:
Post a Comment