[GitHub] [lucene] dweiss commented on a change in pull request #108: LUCENE-9897 Change dependency checking mechanism to use gradle checksum verification

GitBox Thu, 29 Apr 2021 00:42:33 -0700


dweiss commented on a change in pull request #108:
URL: https://github.com/apache/lucene/pull/108#discussion_r622807200




##########
File path: gradle/verification-metadata.xml
##########
@@ -0,0 +1,2198 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<verification-metadata 
xmlns="https://schema.gradle.org/dependency-verification"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:schemaLocation="https://schema.gradle.org/dependency-verification 
https://schema.gradle.org/dependency-verification/dependency-verification-1.0.xsd";>
+   <configuration>
+      <verify-metadata>true</verify-metadata>
+      <verify-signatures>false</verify-signatures>
+   </configuration>
+   <components>
+      <component group="com.beust" name="jcommander" version="1.78">
+         <artifact name="jcommander-1.78.jar">
+            <sha256 
value="7891debb84b5f83e9bd57593ebece3399abbe0fd938cf306b3534c57913b9615" 
origin="Generated by Gradle"/>
+         </artifact>
+         <artifact name="jcommander-1.78.pom">
+            <sha256 
value="6fee231c0aeee6de1256b6b5590ce9e6f6cf6c39797ed668573520bc3412e2a7" 
origin="Generated by Gradle"/>
+         </artifact>
+      </component>
+      <component group="com.carrotsearch" name="hppc" version="0.8.2">
+         <artifact name="hppc-0.8.2.jar">
+            <sha256 
value="97e45d4e0106d98dd3e76d9610e0bd3895409bd1ab1ed189855b05af0571025e" 
origin="Generated by Gradle"/>
+         </artifact>
+         <artifact name="hppc-0.8.2.pom">
+            <sha256 
value="dd84d3247b2bbdfea08f40e896f6d12aa5c3f2ec4982dcbf82b51efb8330a654" 
origin="Generated by Gradle"/>
+         </artifact>
+      </component>
+      <component group="com.carrotsearch" name="hppc-parent" version="0.8.2">
+         <artifact name="hppc-parent-0.8.2.pom">
+            <sha256 
value="9af29845f5120dfd526d12d36d3eeaff045e8d85a826fca8039f830398df534f" 
origin="Generated by Gradle"/>
+         </artifact>
+      </component>
+      <component group="com.carrotsearch.randomizedtesting" 
name="randomizedtesting-parent" version="2.7.2">
+         <artifact name="randomizedtesting-parent-2.7.2.pom">
+            <sha256 
value="43a0795f51c694dbfc7acf9430c96c867553d38fc44664649ffad68247046c57" 
origin="Generated by Gradle"/>
+         </artifact>
+      </component>
+      <component group="com.carrotsearch.randomizedtesting" 
name="randomizedtesting-parent" version="2.7.6">
+         <artifact name="randomizedtesting-parent-2.7.6.pom">
+            <sha256 
value="4053e097749859df0955bcca1284ccf993e3dba23f9504236892081aab41079b" 
origin="Generated by Gradle"/>
+         </artifact>
+      </component>
+      <component group="com.carrotsearch.randomizedtesting" 
name="randomizedtesting-runner" version="2.7.2">
+         <artifact name="randomizedtesting-runner-2.7.2.jar">
+            <sha256 
value="2c4f36dffe3578d30d0d9ea8eff0584f8b252f3f92ffea08ef76a1ecb2ef1e94" 
origin="Generated by Gradle"/>
+         </artifact>
+         <artifact name="randomizedtesting-runner-2.7.2.pom">
+            <sha256 
value="5fbda9cb925a05d51c01b31e35c9b64bbf5bd8c1ff2d457bd7e98da521f72cc0" 
origin="Generated by Gradle"/>
+         </artifact>
+      </component>
+      <component group="com.carrotsearch.randomizedtesting" 
name="randomizedtesting-runner" version="2.7.6">
+         <artifact name="randomizedtesting-runner-2.7.6.jar">
+            <sha256 
value="7a95b60ac991630430f723485e0ddfcc7094bfe32e19816165a7443a255008a5" 
origin="Generated by Gradle"/>
+         </artifact>
+         <artifact name="randomizedtesting-runner-2.7.6.pom">
+            <sha256 
value="d845beab7418abe5167838f0c446212d8b330c33bd57ac81fa864ca20298e2c1" 
origin="Generated by Gradle"/>
+         </artifact>
+      </component>
+      <component group="com.diffplug.durian" name="durian-collect" 
version="1.2.0">

Review comment:
       This link points at disabling transitive dependencies for a particular 
dependency - it's not related to checksumming. We do want those transitive 
dependencies and palantir's plugin makes sure they're consistent.
   
   > Gradle provides an API which allows disabling dependency verification on 
some specific configurations.
   
   Right. I see how it's done in the documentation and indeed it may be 
difficult to hook into all the configurations to just pick the subset that we 
want checksums for. 
   
   We could leave all the checksums but things would have to work. If they 
don't then I'd stick to the custom solution we rolled out until switching 
without so much pain is possible?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

[GitHub] [lucene] dweiss commented on a change in pull request #108: LUCENE-9897 Change dependency checking mechanism to use gradle checksum verification

Reply via email to