This message was deleted.
# dependency-managements
Slackbot
11/10/2022, 7:12 PMThis message was deleted.
d
David Chang
11/10/2022, 7:17 PMbasically this issue exactly, and I don't agree with the answer https://github.com/gradle/gradle/issues/12108
If our artifactory is just a mirror of mavenCentral and Gradle Plugin Portal, they should be fine to use as a fallback for reproducibility
v
Vampire
11/10/2022, 8:51 PMIf you have repositories A, then B, then C.
You have a good version of x in A and there is an evil version of x in C.
Now A is broken due to DDoS attack and your build will continue to run, taking the evil version of x from C.
Or you have same repositories, A has version 10 of x, C has version 3 of x and you declare dependency on latest.integration version of x. You build while A is online and build with version 10. Now A has some problems and suddenly your build builds with version 3.
t
thadhouse
11/10/2022, 11:35 PMI completely disagree with the answer too. A build systems job is to build, “features” like that should be configurable
thadhouse
11/10/2022, 11:41 PMWe use fixed versions everywhere, my life would be so much better if we could disable that.
thadhouse
11/10/2022, 11:47 PMI’m even fine with it being the default, as there are a lot of cases that people would care. But it should be disableable
v
Vampire
11/11/2022, 9:36 AMIt should imho at most be enableable, as it is a big security risk, especially without verification enabled.
With verification enabled it could maybe be the default.
But well, you have to convince the Gradle guys about that. 🙂
Vampire
11/11/2022, 9:39 AMA build systems job is to build, “features” like that should be configurableAnd a good build systems job is to build reliably, securly, and reproducably, which you would not have with the requested change. That's why I said it should at least be off by default but maybe enableable with some switch.
3 Views