Mailing List Archive

This feature was added to Gradle 6.2, which wasn't available when we first
did the conversion from ant.

This plugin doesn't do any verification of license and notice files like we
do, so that's one thing that we will still need our custom validation for.

We could potentially move the checksum verification to the plugin, but that
seems like a lot of effort for I'm not sure what the payoff is.

I don't trust the state of signatures in open source repositories to know
if going down that path is worthwhile, but I also suspect not.


Mike

On Mon, Feb 22, 2021 at 3:45 PM David Smiley <dsmiley@apache.org> wrote:

> I noticed that Gradle has a built-in dependency version locking mechanism
> that is different than the one we are using:
> https://docs.gradle.org/current/userguide/dependency_verification.html
> Dawid (or anyone), why are we using something different? Is our mechanism
> completely defined ad-hoc in Groovy in gradle/validation/jar-checks.gradle
> or is there some related plugin for this?
>
> ~ David Smiley
> Apache Lucene/Solr Search Developer
> http://www.linkedin.com/in/davidwsmiley
>

Thanks for the background on that. I suspected it was a new feature.

~ David Smiley
Apache Lucene/Solr Search Developer
http://www.linkedin.com/in/davidwsmiley


On Mon, Feb 22, 2021 at 5:02 PM Mike Drob <mdrob@mdrob.com> wrote:

> This feature was added to Gradle 6.2, which wasn't available when we first
> did the conversion from ant.
>
> This plugin doesn't do any verification of license and notice files like
> we do, so that's one thing that we will still need our custom validation
> for.
>
> We could potentially move the checksum verification to the plugin, but
> that seems like a lot of effort for I'm not sure what the payoff is.
>
> I don't trust the state of signatures in open source repositories to know
> if going down that path is worthwhile, but I also suspect not.
>
>
> Mike
>
> On Mon, Feb 22, 2021 at 3:45 PM David Smiley <dsmiley@apache.org> wrote:
>
>> I noticed that Gradle has a built-in dependency version locking mechanism
>> that is different than the one we are using:
>> https://docs.gradle.org/current/userguide/dependency_verification.html
>> Dawid (or anyone), why are we using something different? Is our
>> mechanism completely defined ad-hoc in Groovy in
>> gradle/validation/jar-checks.gradle or is there some related plugin for
>> this?
>>
>> ~ David Smiley
>> Apache Lucene/Solr Search Developer
>> http://www.linkedin.com/in/davidwsmiley
>>
>

It's a plugin - palantir-consistent-versions. I haven't used the built-in
gradle mechanism, so I can't
say much about how it works.

D.

On Mon, Feb 22, 2021 at 10:45 PM David Smiley <dsmiley@apache.org> wrote:

> I noticed that Gradle has a built-in dependency version locking mechanism
> that is different than the one we are using:
> https://docs.gradle.org/current/userguide/dependency_verification.html
> Dawid (or anyone), why are we using something different? Is our mechanism
> completely defined ad-hoc in Groovy in gradle/validation/jar-checks.gradle
> or is there some related plugin for this?
>
> ~ David Smiley
> Apache Lucene/Solr Search Developer
> http://www.linkedin.com/in/davidwsmiley
>