You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@aurora.apache.org by "Vladimir Sitnikov (Jira)" <ji...@apache.org> on 2019/09/08 21:33:00 UTC

[jira] [Commented] (AURORA-1997) Consider using checksum-dependency-plugin for dependency verification

    [ https://issues.apache.org/jira/browse/AURORA-1997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16925256#comment-16925256 ] 

Vladimir Sitnikov commented on AURORA-1997:
-------------------------------------------

Note: there's no chicken-and-egg problem with checksum-dependency.

The plugin itself is verified before it is even used (see [https://github.com/vlsi/vlsi-release-plugins/blob/3deb95aede2ee1da962875a2bbfe605f47bf1a7f/settings.gradle.kts#L59-L60] ), so you don't have to put the jar to the source control.

> Consider using checksum-dependency-plugin for dependency verification
> ---------------------------------------------------------------------
>
>                 Key: AURORA-1997
>                 URL: https://issues.apache.org/jira/browse/AURORA-1997
>             Project: Aurora
>          Issue Type: Story
>          Components: Build, Scheduler, Security
>            Reporter: Vladimir Sitnikov
>            Priority: Trivial
>              Labels: newbie
>
> {{checksum-dependency-plugin}} [1] is a superset of {{gradle-witness}}, and it enables to increase the level of security.
> Key features:
>  * Gradle plugins can be verified (grade-witness doesn't track plugins)
>  * All Gradle configurations are supported (e.g. `java-library` plugin is supported). `checksum-dependency-plugin` intercepts detached configurations as well (e.g. the ones that are created on demand)
>  * PGP can be used for verification. PGP can be used with or without checksum. PGP enables to detect and prevent issues like [https://blog.autsoft.hu/a-confusing-dependency/]
> {{checksum-dependency-plugin}} aims to provide insulation against MITM attacks via maven dependency downloads.
>  It is trivial to integrate, and it is not that hard to maintain (e.g. updated checksum.xml could be updated automatically)
> [1] [https://github.com/vlsi/vlsi-release-plugins/tree/master/plugins/checksum-dependency-plugin]



--
This message was sent by Atlassian Jira
(v8.3.2#803003)