tree 3fa9c42e45bb3a89c863c64bc1947bb9108d92fb
parent 59c765652e481af5f5b3477a8383b948d8d5bba1
author Michael Ochmann <michael.ochmann@sap.com> 1455027451 +0100
committer Saša Živkov <zivkov@gmail.com> 1455197970 +0000

Option to skip library download during init

The init tool offers a mechanism to download a required library like
BouncyCastle during installation, and to remove "stale" versions of
that library from the lib/ folder if specified in libraries.config.
However, init does not check (and in general cannot check) that
the library actually is stale, but forcefully replaces it with the
version stated in libraries.config.

For security critical libraries like BouncyCastle this is dangerous,
especially when doing a batch install. In that case, init may silently
download a potentially vulnerable library version and replace a more
secure version already residing in the lib/ folder.

This patch adds two new options to the init program to disable the
automatic library download altogether, or selectively:

--skip-all-downloads switches the download mechanism off completely;

--skip-download <lib> switches the download off for the given library
  (<lib> being the section name of a library in libraries.config).

Change-Id: I1df60b2fd7a4bf519b135e16deebb68a3b9095ef
Signed-off-by: Michael Ochmann <michael.ochmann@sap.com>