[
https://issues.apache.org/jira/browse/AURORA-616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14081240#comment-14081240
]
Jake Farrell commented on AURORA-616:
-------------------------------------
I played with this a little bit last night and ran into an issue with adding
witness as a dependency in the build_script as a compile(project: ) as this is
not supported in gradle (chicken-egg problem documented on gradle dev forums).
I think the best approach will be to add the src to build-support and compile
and place the jar in the gradle folder. we can then exclude this from the
source dist and add a bootstrap step which will compile this before generating
the gradlew or adding any other deps we have (bower components etc)
Thoughts?
> Consider using gradle-witness to verify dependencies
> ----------------------------------------------------
>
> Key: AURORA-616
> URL: https://issues.apache.org/jira/browse/AURORA-616
> Project: Aurora
> Issue Type: Story
> Components: Build, Scheduler, Security
> Reporter: Bill Farner
> Priority: Trivial
> Labels: newbie
>
> gradle-witness \[1\] aims to provide insulation against MITM attacks via
> maven dependency downloads. From the looks of things, it would require a
> pretty small amount of upfront work and upkeep to integrate this and prevent
> injection of rogue code.
> \[1\] https://github.com/whispersystems/gradle-witness
--
This message was sent by Atlassian JIRA
(v6.2#6252)
