[
https://issues.apache.org/jira/browse/OFBIZ-12186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292125#comment-17292125 ]
ASF subversion and git services commented on OFBIZ-12186:
---------------------------------------------------------
Commit c2c609d8e4e94de1d932b80249613a628a3eccd9 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux
[
https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=c2c609d ]
Improved: Dependency verification (OFBIZ-12186)
I just read an ASF members thread about this article:
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610One member mentioned that the Groovy project is using the Gradle's dependency
verification feature[1] in the Apache Groovy build.
I suggest we do the same, even after the move from JCenter to MavenCentral where
things should be safer.
[1]
https://docs.gradle.org/current/userguide/dependency_verification.htmlThis commit includes:
The verification-metadata.xml and verification-keyring.gpg used by the
verification task
*.gpg as binary in .gitattrubtes for verification-keyring.gpg
The documentation about the verification in sy-dependency-verification.adoc
with a link and some unrelated changes in security.adoc about security for
OFBiz in production
An empty line removed in build.gradle
--
This message was sent by Atlassian Jira
(v8.3.4#803005)