This potentially affects a number of our builds, and is based on a request from Jonathan Christison and involves our use of the maven-download-plugin. From Jonathan:

"he issue has also highlighted use of external requests at build time.

The offending plugin is
com.googlecode.maven-download-plugin:download-maven-plugin and can be
found in a few locations eg. cxf/rt/transports/http/pom.xml or by
searching for maven-download-plugin:1.1.0:wget in the perfectus/build
logs. These fetches might not be reproducible because they are not
only subject to change such as the public_suffix_list.dat but could
vanish all together.

I think this puts us in a similar situation to npm whereby we need a
mechanism to automatically mirror/store these files (if they cannot
just be static?) so -

A) Builds are reproducible
B) Customers can build offline
C) The files have some kind of traceability and assurances they're not
malicious"