You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@aurora.apache.org by "Vladimir Sitnikov (Jira)" <ji...@apache.org> on 2019/09/08 21:29:00 UTC

[jira] [Created] (AURORA-1997) Consider using checksum-dependency-plugin for dependency verification

Vladimir Sitnikov created AURORA-1997:
-----------------------------------------

             Summary: Consider using checksum-dependency-plugin for dependency verification
                 Key: AURORA-1997
                 URL: https://issues.apache.org/jira/browse/AURORA-1997
             Project: Aurora
          Issue Type: Story
          Components: Build, Scheduler, Security
            Reporter: Vladimir Sitnikov


gradle-witness \[1\] aims to provide insulation against MITM attacks via maven dependency downloads.  From the looks of things, it would require a pretty small amount of upfront work and upkeep to integrate this and prevent injection of rogue code.

\[1\] https://github.com/whispersystems/gradle-witness



--
This message was sent by Atlassian Jira
(v8.3.2#803003)