You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2021/02/22 12:56:00 UTC
[jira] [Commented] (OFBIZ-12186) Dependency verification
[ https://issues.apache.org/jira/browse/OFBIZ-12186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17288365#comment-17288365 ]
Jacques Le Roux commented on OFBIZ-12186:
-----------------------------------------
After reading the [Gradle documentation|https://docs.gradle.org/current/userguide/dependency_verification.html], having a look into [https://github.com/apache/groovy/blob/master/gradle/] and checking [https://github.com/apache/groovy/blob/master/gradle/verification-metadata.xml], I tried by myself in OFBiz.
In OFBiz case, the steps are simple despite the frigthening Gradle documention. What I did:
{quote}gradle --write-verification-metadata sha256 help
{quote}
I got a verification-metadata.xml in the gradle subdir. I then tried to launch OFBiz and got 3 issues related to the compileGroovy task
I then used
{quote}gradle --write-verification-metadata sha256 compileGroovy
{quote}
which completed the verification-metadata.xml and was able to launch OFBiz w/o issues.
I attach the verification-metadata.xml for others to put it in the gradle subdir and test by themselves.
It seems it's a securing easy feature to use. So I suggest to use it by simply committing the [^verification-metadata.xml] file
> Dependency verification
> ------------------------
>
> Key: OFBIZ-12186
> URL: https://issues.apache.org/jira/browse/OFBIZ-12186
> Project: OFBiz
> Issue Type: Sub-task
> Components: Gradle
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Priority: Major
> Attachments: verification-metadata.xml
>
>
> I posted a related message in dev ML: https://markmail.org/message/55r5ycn2wrbotnbn:
> {quote}
> Hi,
> I just read a members thread about this article: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
> One member mentioned that the Groovy project is using the Gradle's dependency verification feature\[1] in the Apache Groovy build.
> I suggest we do the same, even after the move from JCenter to MavenCentral where things should be safer.
> What do you think?
> \[1] https://docs.gradle.org/current/userguide/dependency_verification.html
> Jacques
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)