-
Bug
-
Resolution: Done
-
Major
-
jboss-fuse-6.2.1
-
None
-
%
This potentially affects a number of our builds, and is based on a request from Jonathan Christison and involves our use of the maven-download-plugin. From Jonathan:
"he issue has also highlighted use of external requests at build time.
The offending plugin is
com.googlecode.maven-download-plugin:download-maven-plugin and can be
found in a few locations eg. cxf/rt/transports/http/pom.xml or by
searching for maven-download-plugin:1.1.0:wget in the perfectus/build
logs. These fetches might not be reproducible because they are not
only subject to change such as the public_suffix_list.dat but could
vanish all together.
I think this puts us in a similar situation to npm whereby we need a
mechanism to automatically mirror/store these files (if they cannot
just be static?) so -
A) Builds are reproducible
B) Customers can build offline
C) The files have some kind of traceability and assurances they're not
malicious"