Christos Malliaridis created SOLR-17657:
-------------------------------------------
Summary: Evaluate and Update checksum and signature verification
Key: SOLR-17657
URL: https://issues.apache.org/jira/browse/SOLR-17657
Project: Solr
Issue Type: Improvement
Components: Gradle
Reporter: Christos Malliaridis
Dependency verification is an important step that is used when we want to
verify the integrity of third-party libraries. Right now, we have custom gradle
tasks for generating and verifying the gradle checksums.
These custom gradle tasks seem to be limited in their dependency resolution and
do not check dependencies from plugins, buildSrc or integrated builds.
Gradle comes with dependency verification options that also support signature
checks, whereever available. It is also capable of taking plugins and
configurations from buildSrc and integrated builds into account. See [Gradle
dependency
verification|https://docs.gradle.org/current/userguide/dependency_verification.html]
for more information.
h2. Task
Evaluate the output and the capabilities available of the Gradle-native
features from the above link and update the gradle tasks and development flows
if they are preferred.
You can use the gradle task
{{.\gradlew \-\-write-verification-metadata sha256 help}}
for generating your first output at {{gradle/verification-metadata.xml}}.
h2. Acceptance Criteria
- The GitHub workflows continue verifying checksums and optionally signatures
If updated to the Gradle-native tasks:
- The steps in our developer guide are updated accordingly
- redundant custom gradle tasks related to the checksum generation and
verification are removed
- Checksum files from {{solr/licenses}} are removed
h2. Additional Information
The new UI module introduced in #2605 is a Kotlin multiplatform module, which
does not use the JavaPlugin that is used for resolving jar information (see
jarValidation task). This means that it is not covered by our custom tasks.
We should try to address this issue before Solr 10 is released, because we have
already changed a lot of things related to dependency management.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
