You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@aurora.apache.org by "Vladimir Sitnikov (Jira)" <ji...@apache.org> on 2019/09/08 21:33:00 UTC
[jira] [Commented] (AURORA-1997) Consider using
checksum-dependency-plugin for dependency verification
[ https://issues.apache.org/jira/browse/AURORA-1997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16925256#comment-16925256 ]
Vladimir Sitnikov commented on AURORA-1997:
-------------------------------------------
Note: there's no chicken-and-egg problem with checksum-dependency.
The plugin itself is verified before it is even used (see [https://github.com/vlsi/vlsi-release-plugins/blob/3deb95aede2ee1da962875a2bbfe605f47bf1a7f/settings.gradle.kts#L59-L60] ), so you don't have to put the jar to the source control.
> Consider using checksum-dependency-plugin for dependency verification
> ---------------------------------------------------------------------
>
> Key: AURORA-1997
> URL: https://issues.apache.org/jira/browse/AURORA-1997
> Project: Aurora
> Issue Type: Story
> Components: Build, Scheduler, Security
> Reporter: Vladimir Sitnikov
> Priority: Trivial
> Labels: newbie
>
> {{checksum-dependency-plugin}} [1] is a superset of {{gradle-witness}}, and it enables to increase the level of security.
> Key features:
> * Gradle plugins can be verified (grade-witness doesn't track plugins)
> * All Gradle configurations are supported (e.g. `java-library` plugin is supported). `checksum-dependency-plugin` intercepts detached configurations as well (e.g. the ones that are created on demand)
> * PGP can be used for verification. PGP can be used with or without checksum. PGP enables to detect and prevent issues like [https://blog.autsoft.hu/a-confusing-dependency/]
> {{checksum-dependency-plugin}} aims to provide insulation against MITM attacks via maven dependency downloads.
> It is trivial to integrate, and it is not that hard to maintain (e.g. updated checksum.xml could be updated automatically)
> [1] [https://github.com/vlsi/vlsi-release-plugins/tree/master/plugins/checksum-dependency-plugin]
--
This message was sent by Atlassian Jira
(v8.3.2#803003)