Gradle: Verifying dependencies / version locks

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Gradle: Verifying dependencies / version locks

David Smiley
I noticed that Gradle has a built-in dependency version locking mechanism that is different than the one we are using:
Dawid (or anyone), why are we using something different?  Is our mechanism completely defined ad-hoc in Groovy in gradle/validation/jar-checks.gradle or is there some related plugin for this?

~ David Smiley
Apache Lucene/Solr Search Developer
Reply | Threaded
Open this post in threaded view
|

Re: Gradle: Verifying dependencies / version locks

Mike Drob-2
This feature was added to Gradle 6.2, which wasn't available when we first did the conversion from ant.

This plugin doesn't do any verification of license and notice files like we do, so that's one thing that we will still need our custom validation for.

We could potentially move the checksum verification to the plugin, but that seems like a lot of effort for I'm not sure what the payoff is.

I don't trust the state of signatures in open source repositories to know if going down that path is worthwhile, but I also suspect not.


Mike

On Mon, Feb 22, 2021 at 3:45 PM David Smiley <[hidden email]> wrote:
I noticed that Gradle has a built-in dependency version locking mechanism that is different than the one we are using:
Dawid (or anyone), why are we using something different?  Is our mechanism completely defined ad-hoc in Groovy in gradle/validation/jar-checks.gradle or is there some related plugin for this?

~ David Smiley
Apache Lucene/Solr Search Developer
Reply | Threaded
Open this post in threaded view
|

Re: Gradle: Verifying dependencies / version locks

David Smiley
Thanks for the background on that.  I suspected it was a new feature.

~ David Smiley
Apache Lucene/Solr Search Developer


On Mon, Feb 22, 2021 at 5:02 PM Mike Drob <[hidden email]> wrote:
This feature was added to Gradle 6.2, which wasn't available when we first did the conversion from ant.

This plugin doesn't do any verification of license and notice files like we do, so that's one thing that we will still need our custom validation for.

We could potentially move the checksum verification to the plugin, but that seems like a lot of effort for I'm not sure what the payoff is.

I don't trust the state of signatures in open source repositories to know if going down that path is worthwhile, but I also suspect not.


Mike

On Mon, Feb 22, 2021 at 3:45 PM David Smiley <[hidden email]> wrote:
I noticed that Gradle has a built-in dependency version locking mechanism that is different than the one we are using:
Dawid (or anyone), why are we using something different?  Is our mechanism completely defined ad-hoc in Groovy in gradle/validation/jar-checks.gradle or is there some related plugin for this?

~ David Smiley
Apache Lucene/Solr Search Developer
Reply | Threaded
Open this post in threaded view
|

Re: Gradle: Verifying dependencies / version locks

Dawid Weiss-2
In reply to this post by David Smiley

It's a plugin - palantir-consistent-versions. I haven't used the built-in gradle mechanism, so I can't
say much about how it works.

D.

On Mon, Feb 22, 2021 at 10:45 PM David Smiley <[hidden email]> wrote:
I noticed that Gradle has a built-in dependency version locking mechanism that is different than the one we are using:
Dawid (or anyone), why are we using something different?  Is our mechanism completely defined ad-hoc in Groovy in gradle/validation/jar-checks.gradle or is there some related plugin for this?

~ David Smiley
Apache Lucene/Solr Search Developer