You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@aurora.apache.org by "Vladimir Sitnikov (Jira)" <ji...@apache.org> on 2019/09/08 21:31:00 UTC

[jira] [Updated] (AURORA-1997) Consider using checksum-dependency-plugin for dependency verification

     [ https://issues.apache.org/jira/browse/AURORA-1997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vladimir Sitnikov updated AURORA-1997:
--------------------------------------
    Description: 
{{checksum-dependency-plugin}} [1] is a superset of {{gradle-witness}}, and it enables to increase the level of security.

Key features:
 * Gradle plugins can be verified (grade-witness doesn't track plugins)
 * All Gradle configurations are supported (e.g. `java-library` plugin is supported). `checksum-dependency-plugin` intercepts detached configurations as well (e.g. the ones that are created on demand)
 * PGP can be used for verification. PGP can be used with or without checksum. PGP enables to detect and prevent issues like [https://blog.autsoft.hu/a-confusing-dependency/]

{{checksum-dependency-plugin}} aims to provide insulation against MITM attacks via maven dependency downloads.
 It is trivial to integrate, and it is not that hard to maintain (e.g. updated checksum.xml could be updated automatically)

[1] [https://github.com/vlsi/vlsi-release-plugins/tree/master/plugins/checksum-dependency-plugin]

  was:
gradle-witness \[1\] aims to provide insulation against MITM attacks via maven dependency downloads.  From the looks of things, it would require a pretty small amount of upfront work and upkeep to integrate this and prevent injection of rogue code.

\[1\] https://github.com/whispersystems/gradle-witness


> Consider using checksum-dependency-plugin for dependency verification
> ---------------------------------------------------------------------
>
>                 Key: AURORA-1997
>                 URL: https://issues.apache.org/jira/browse/AURORA-1997
>             Project: Aurora
>          Issue Type: Story
>          Components: Build, Scheduler, Security
>            Reporter: Vladimir Sitnikov
>            Priority: Trivial
>              Labels: newbie
>
> {{checksum-dependency-plugin}} [1] is a superset of {{gradle-witness}}, and it enables to increase the level of security.
> Key features:
>  * Gradle plugins can be verified (grade-witness doesn't track plugins)
>  * All Gradle configurations are supported (e.g. `java-library` plugin is supported). `checksum-dependency-plugin` intercepts detached configurations as well (e.g. the ones that are created on demand)
>  * PGP can be used for verification. PGP can be used with or without checksum. PGP enables to detect and prevent issues like [https://blog.autsoft.hu/a-confusing-dependency/]
> {{checksum-dependency-plugin}} aims to provide insulation against MITM attacks via maven dependency downloads.
>  It is trivial to integrate, and it is not that hard to maintain (e.g. updated checksum.xml could be updated automatically)
> [1] [https://github.com/vlsi/vlsi-release-plugins/tree/master/plugins/checksum-dependency-plugin]



--
This message was sent by Atlassian Jira
(v8.3.2#803003)