[
https://issues.apache.org/jira/browse/AURORA-1997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16925256#comment-16925256
]
Vladimir Sitnikov commented on AURORA-1997:
-------------------------------------------
Note: there's no chicken-and-egg problem with checksum-dependency.
The plugin itself is verified before it is even used (see
[https://github.com/vlsi/vlsi-release-plugins/blob/3deb95aede2ee1da962875a2bbfe605f47bf1a7f/settings.gradle.kts#L59-L60]
), so you don't have to put the jar to the source control.
> Consider using checksum-dependency-plugin for dependency verification
> ---------------------------------------------------------------------
>
> Key: AURORA-1997
> URL: https://issues.apache.org/jira/browse/AURORA-1997
> Project: Aurora
> Issue Type: Story
> Components: Build, Scheduler, Security
> Reporter: Vladimir Sitnikov
> Priority: Trivial
> Labels: newbie
>
> {{checksum-dependency-plugin}} [1] is a superset of {{gradle-witness}}, and
> it enables to increase the level of security.
> Key features:
> * Gradle plugins can be verified (grade-witness doesn't track plugins)
> * All Gradle configurations are supported (e.g. `java-library` plugin is
> supported). `checksum-dependency-plugin` intercepts detached configurations
> as well (e.g. the ones that are created on demand)
> * PGP can be used for verification. PGP can be used with or without
> checksum. PGP enables to detect and prevent issues like
> [https://blog.autsoft.hu/a-confusing-dependency/]
> {{checksum-dependency-plugin}} aims to provide insulation against MITM
> attacks via maven dependency downloads.
> It is trivial to integrate, and it is not that hard to maintain (e.g.
> updated checksum.xml could be updated automatically)
> [1]
> [https://github.com/vlsi/vlsi-release-plugins/tree/master/plugins/checksum-dependency-plugin]
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
