This is one key reason why I am currently opposed to using the gradle wrapper. Yes, its easy to use, but they are doing that at the expense of security, its really quite surprisingly sloppy. It reminds me of all those sites where you can download missing DLLs for Windows. No wonder why there are many million-strong botnets based on Windows...
.hc Dominik Schuermann: > Hey, > > posting this here, because it may be relevant for these projects. > > At Openkeychain we are using Gradle Witness [0] to verify the depdencies > from Maven. > I noticed that there is still a dependency that is not verified: The > gradle distribution itself. It is downloaded via a gradle wrapper that > is part of the repositories (normally at gradle/wrapper/gradle-wrapper.jar). > I now implemented SHA-256 sum verfication for it in my fork [1] and did > a pull request [2] to the main gradle repo. Maybe you guys are already > interested in using it before it is merged. It is also a good > opportunity to build the gradle-wrapper.jar yourself from source... > > 1. Get source from https://github.com/sufficientlysecure/gradle > 2. Build it and get wrapper from > subprojects/wrapper/build/libs/gradle-wrapper.jar > 3. Use it like > https://github.com/open-keychain/open-keychain/commit/41968206d3deed789dd5b35468a8d8487755234c > > Regards > Dominik > > > [0] https://github.com/WhisperSystems/gradle-witness > [1] https://github.com/sufficientlysecure/gradle > [2] https://github.com/gradle/gradle/pull/448 > _______________________________________________ > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > To unsubscribe, email: [email protected] > -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
