root
/
elasticsearch
mirror of https://github.com/elastic/elasticsearch.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Improve documentation of updating a dependency

This commit is contained in:
Rene Groeschke 2022-10-04 13:39:11 +02:00
parent 62d2eee105
commit 42ccdeaacf
No known key found for this signature in database
GPG Key ID: B1782D97CBC64567
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
BUILDING.md
View File

@ -78,17 +78,19 @@ For updated or newly added dependencies you need to add an entry to this verific
</component> </component>
``` ```
In case of updating a dependency, ensure to remove the unused entry of the outdated dependency manually from the verifcation.xml file.
You can also automate the generation of this entry by running your build using the `--write-verification-metadata` commandline option: You can also automate the generation of this entry by running your build using the `--write-verification-metadata` commandline option:
``` ```
>./gradlew --write-verification-metadata sha256 precommit >./gradlew --write-verification-metadata sha256 precommit
``` ```
The `--write-verification-metadata` Gradle option is generally able to resolve reachable configurations, The `--write-verification-metadata` Gradle option is generally able to resolve reachable configurations,
but we use detached configurations for a certain set of plugins and tasks. Therefore, please ensure you run this option with a task that but we use detached configurations for a certain set of plugins and tasks. Therefore, please ensure you run this option with a task that
uses the changed dependencies. In most cases, `precommit` or `check` are good candidates. uses the changed dependencies. In most cases, `precommit` or `check` are good candidates.
We prefer sha256 checksums as md5 and sha1 are not considered safe anymore these days. The generated entry We prefer sha256 checksums as md5 and sha1 are not considered safe anymore these days. The generated entry
will have the `origin` attribute been set to `Generated by Gradle`. will have the `origin` attribute been set to `Generated by Gradle`.
>A manual confirmation of the Gradle generated checksums is currently not mandatory. >A manual confirmation of the Gradle generated checksums is currently not mandatory.
>If you want to add a level of verification you can manually confirm the checksum (e.g by looking it up on the website of the library) >If you want to add a level of verification you can manually confirm the checksum (e.g by looking it up on the website of the library)