[jira] [Commented] (AURORA-1997) Consider using checksum-dependency-plugin for dependency verification

[Vladimir Sitnikov (Jira)]

    [ 
https://issues.apache.org/jira/browse/AURORA-1997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17002978#comment-17002978
 ] 

Vladimir Sitnikov commented on AURORA-1997:
-------------------------------------------

Hi, I hope you are doing well.

You might be interested that [Gradle 6.2 introduces in-core dependency 
verification|https://github.com/gradle/gradle/issues/10443#issuecomment-568741472]

The documentation can be reviewed here: 
https://github.com/gradle/gradle/pull/11755

>From what I know Gradle would cover more cases when compared with 
>{{checksum-dependency-plugin}}. For instance, it will be able to verify 
>`pom.xml` which are implicitly fetched by Gradle when resolving transitive 
>dependencies and probably other cases.

Some bits can be previewed in the current release candidates, release nightly 
builds and master nightly builds (see https://gradle.org/releases/ )

It would be nice if you could preview the feature and provide your feedback.

> Consider using checksum-dependency-plugin for dependency verification
> ---------------------------------------------------------------------
>
>                 Key: AURORA-1997
>                 URL: https://issues.apache.org/jira/browse/AURORA-1997
>             Project: Aurora
>          Issue Type: Story
>          Components: Build, Scheduler, Security
>            Reporter: Vladimir Sitnikov
>            Priority: Trivial
>              Labels: newbie
>
> {{checksum-dependency-plugin}} [1] is a superset of {{gradle-witness}}, and 
> it enables to increase the level of security.
> Key features:
>  * Gradle plugins can be verified (grade-witness doesn't track plugins)
>  * All Gradle configurations are supported (e.g. `java-library` plugin is 
> supported). `checksum-dependency-plugin` intercepts detached configurations 
> as well (e.g. the ones that are created on demand)
>  * PGP can be used for verification. PGP can be used with or without 
> checksum. PGP enables to detect and prevent issues like 
> [https://blog.autsoft.hu/a-confusing-dependency/]
> {{checksum-dependency-plugin}} aims to provide insulation against MITM 
> attacks via maven dependency downloads.
>  It is trivial to integrate, and it is not that hard to maintain (e.g. 
> updated checksum.xml could be updated automatically)
> [1] 
> [https://github.com/vlsi/vlsi-release-plugins/tree/master/plugins/checksum-dependency-plugin]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)