Sebastian Schuberth

> why the download server would matter? So you're proposing to download such artifacts only *once* for scanning, from an arbitrary location of those locations that provide the same by...

> Would be great to fix this at the same time. That's a completely different area of code, though. Anyway, contributions are welcome 😉

> ORT could have a global "URL replace function" as part of ORT configuration which is used for all remote artifacts. Sounds like https://github.com/oss-review-toolkit/ort/issues/6698, or?

> For Java, the approach is a bit more hacky (arguably), where I go into all `build.gradle` files and insert `mavenCentral()` before the custom repository I haven't tested this, but...

> Problem 1: Same source, different protocol IMO, this could and should be solved via #6698. > Problem 2: Same source, different hashing algorithm > An example for both is...

> Can you see this one: Yes, that works, thanks! > all attributes of a project are considered when determining whether or not to insert it into the set. You're...

FYI @oss-review-toolkit/core-devs, Marika works at HH Partners and has legal background.

> The contents of this file requires us as community to define some clear governance rules and we need to define as a community to avoid endless discussions. Note that...

One general problem with the POM generated by `makePom` is that this is a POM meant for distribution, not for building the project.

This [StackOverflow comment](https://stackoverflow.com/questions/25519926/how-to-see-dependency-tree-in-sbt#comment70131784_37414734) proposes to run `sbt update` and inspect the `.xml` files generated by Ivy. Basically, that's a very nice approach, but unfortunately it does not associate dependencies to...