Fork me on GitHub

If reproducible builds are being used for security, then I agree that there are problems. Ken Thompson's Turing Award lecture also comes to mind.


Is there a way to use depstar to add an external Class-Path reference in the manifest? One of my dependencies unfortunately needs to be external to the uberjar. I need to add e.g. Class-Path: /opt/whatever/whatever.jar to the manifest. It works if I have an ‘add-class-path’ file containing that line and then post-process the uberjar using: jar --manifest=add-class-path -u -f my.jar But I’m wondering if it is within scope for doing this directly in depstar. Btw, the depstar readme has a small typo in the Exclude Files section. The example says to use: :exclude '"clojure/core/specs/alpha.*"' but that doesn’t work and I believe the correct usage is: :exclude '["clojure/core/specs/alpha.*"]' The description correctly says to use a vector of strings.


Open an issue on GH and I'll give it some thought. It feels a bit out of scope but maybe a generic way to add manifest entries would be reasonable?


Also, good catch on the typo : I think it accepted a regex or a vector at some point. I'll try to remember to fix that when I'm at my desk (but feel free to create an issue to remind me).


OK, at my computer now. I've fixed the :exclude issue (the printed help also suggested a single regex). Also