root
/
elasticsearch
mirror of https://github.com/elastic/elasticsearch.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Improve documentation of updating a dependency

This commit is contained in:
Rene Groeschke 2022-10-04 13:39:11 +02:00
parent 62d2eee105
commit 42ccdeaacf
No known key found for this signature in database
GPG Key ID: B1782D97CBC64567
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
BUILDING.md
View File

@ -78,17 +78,19 @@ For updated or newly added dependencies you need to add an entry to this verific
</component>
```
In case of updating a dependency, ensure to remove the unused entry of the outdated dependency manually from the verifcation.xml file.
You can also automate the generation of this entry by running your build using the `--write-verification-metadata` commandline option:
```
>./gradlew --write-verification-metadata sha256 precommit
```
The `--write-verification-metadata` Gradle option is generally able to resolve reachable configurations,
The `--write-verification-metadata` Gradle option is generally able to resolve reachable configurations,
but we use detached configurations for a certain set of plugins and tasks. Therefore, please ensure you run this option with a task that
uses the changed dependencies. In most cases, `precommit` or `check` are good candidates.
We prefer sha256 checksums as md5 and sha1 are not considered safe anymore these days. The generated entry
will have the `origin` attribute been set to `Generated by Gradle`.
We prefer sha256 checksums as md5 and sha1 are not considered safe anymore these days. The generated entry
will have the `origin` attribute been set to `Generated by Gradle`.
>A manual confirmation of the Gradle generated checksums is currently not mandatory.
>If you want to add a level of verification you can manually confirm the checksum (e.g by looking it up on the website of the library)