[
https://issues.apache.org/jira/browse/AURORA-1997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vladimir Sitnikov updated AURORA-1997:
--------------------------------------
Description:
{{checksum-dependency-plugin}} [1] is a superset of {{gradle-witness}}, and it
enables to increase the level of security.
Key features:
* Gradle plugins can be verified (grade-witness doesn't track plugins)
* All Gradle configurations are supported (e.g. `java-library` plugin is
supported). `checksum-dependency-plugin` intercepts detached configurations as
well (e.g. the ones that are created on demand)
* PGP can be used for verification. PGP can be used with or without checksum.
PGP enables to detect and prevent issues like
[https://blog.autsoft.hu/a-confusing-dependency/]
{{checksum-dependency-plugin}} aims to provide insulation against MITM attacks
via maven dependency downloads.
It is trivial to integrate, and it is not that hard to maintain (e.g. updated
checksum.xml could be updated automatically)
[1]
[https://github.com/vlsi/vlsi-release-plugins/tree/master/plugins/checksum-dependency-plugin]
was:
gradle-witness \[1\] aims to provide insulation against MITM attacks via maven
dependency downloads. From the looks of things, it would require a pretty
small amount of upfront work and upkeep to integrate this and prevent injection
of rogue code.
\[1\] https://github.com/whispersystems/gradle-witness
> Consider using checksum-dependency-plugin for dependency verification
> ---------------------------------------------------------------------
>
> Key: AURORA-1997
> URL: https://issues.apache.org/jira/browse/AURORA-1997
> Project: Aurora
> Issue Type: Story
> Components: Build, Scheduler, Security
> Reporter: Vladimir Sitnikov
> Priority: Trivial
> Labels: newbie
>
> {{checksum-dependency-plugin}} [1] is a superset of {{gradle-witness}}, and
> it enables to increase the level of security.
> Key features:
> * Gradle plugins can be verified (grade-witness doesn't track plugins)
> * All Gradle configurations are supported (e.g. `java-library` plugin is
> supported). `checksum-dependency-plugin` intercepts detached configurations
> as well (e.g. the ones that are created on demand)
> * PGP can be used for verification. PGP can be used with or without
> checksum. PGP enables to detect and prevent issues like
> [https://blog.autsoft.hu/a-confusing-dependency/]
> {{checksum-dependency-plugin}} aims to provide insulation against MITM
> attacks via maven dependency downloads.
> It is trivial to integrate, and it is not that hard to maintain (e.g.
> updated checksum.xml could be updated automatically)
> [1]
> [https://github.com/vlsi/vlsi-release-plugins/tree/master/plugins/checksum-dependency-plugin]
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
