search

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Other
847 stars 213 forks source link

Reproducible build #158

Closed efge closed 5 years ago

efge commented 5 years ago

In order to get reproducible builds, please consider using fixed versions in the POMs. This applies to this part of the parent POM:

      <dependency>
        <groupId>commons-codec</groupId>
        <artifactId>commons-codec</artifactId>
        <version>[1.4,)</version>
      </dependency>

(there are also two others for findbugs but they are less critical)

mikesamuel commented 5 years ago

I've seen some warnings related to this but am not sure we're talking about quite the same thing.

Should I be looking for something specific in the log from mvn verify or at some report under target/site to find these problems?

efge commented 5 years ago

It's not a problem per se but a good practice to disallow version ranges (and SNAPSHOT) in order to have reproducible builds. The Maven Enforcer plugin can be configured to disallow SNAPSHOT versions, but I'm not seeing anything related to version ranges.

I can provide a PR to remove the ranges if you want.

mikesamuel commented 5 years ago

@efge Thanks for the offer.

I agree that reproducible builds are important, but I'm leery of breaking downstream clients.

https://github.com/OWASP/java-html-sanitizer/commit/b17604bb11c2c00809163a425d5aa481be8371a1 abstracts out the guava version.

I'd prefer if we can get the same benefit by using parameters with default values to allow ranges and explicit single-version overrides, incorporating build tests, and changing the release checklist to include mandating a particular version.