[
https://issues.apache.org/jira/browse/AURORA-616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16925258#comment-16925258
]
Vladimir Sitnikov commented on AURORA-616:
------------------------------------------
[~jfarrell], I've opened AURORA-1997 regarding integration of
checksum-dependency-plugin.
There's no need to build checksum-dependency as its checksum can be verified
before use.
The checksum is published at the plugin readme page, and it is reproducible (so
you can download sources, build it locally, and you will still end up with the
same SHA-512)
> Consider using gradle-witness to verify dependencies
> ----------------------------------------------------
>
> Key: AURORA-616
> URL: https://issues.apache.org/jira/browse/AURORA-616
> Project: Aurora
> Issue Type: Story
> Components: Build, Scheduler, Security
> Reporter: Bill Farner
> Priority: Trivial
> Labels: newbie
>
> gradle-witness \[1\] aims to provide insulation against MITM attacks via
> maven dependency downloads. From the looks of things, it would require a
> pretty small amount of upfront work and upkeep to integrate this and prevent
> injection of rogue code.
> \[1\] https://github.com/whispersystems/gradle-witness
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
