This is an automated email from the ASF dual-hosted git repository. jkf pushed a commit to branch 1.9.x in repository https://gitbox.apache.org/repos/asf/ant.git
commit fb6d9b0d5d603d4339f5547a74f00833b221cc0a Author: jkf <j...@famkruithof.net> AuthorDate: Sun May 26 08:11:28 2019 +0200 Validating contents of resources fetched via insecure channels --- fetch.xml | 8 ++++++++ lib/libraries.properties | 3 +++ 2 files changed, 11 insertions(+) diff --git a/fetch.xml b/fetch.xml index 679aceb..106237d 100644 --- a/fetch.xml +++ b/fetch.xml @@ -342,6 +342,14 @@ Set -Ddest=LOCATION on the command line <target name="netrexx" description="load NetRexx compiler" depends="init-no-m2,-setup-temp-cache,-fetch-netrexx,-fetch-netrexx-no-commons-net"> + <checksum file="${temp.dir}/NetRexx.zip" algorithm="SHA-256" property="${netrexx.sha256}" verifyProperty="netrexx.hash.matches"/> + <fail message="NetRexx.zip fetched via ftp has an unexpected SHA-256 checksum, the file may have been tampered with"> + <condition> + <not> + <istrue value="${netrexx.hash.matches}"/> + </not> + </condition> + </fail> <copy todir="${dest.dir}" flatten="true"> <zipfileset src="${temp.dir}/NetRexx.zip"> <include name="NetRexx\lib\NetRexxC.jar"/> diff --git a/lib/libraries.properties b/lib/libraries.properties index 9ecbcfb..fcad671 100644 --- a/lib/libraries.properties +++ b/lib/libraries.properties @@ -28,6 +28,9 @@ m2.sha1.checksum=b09be554228d66d208e5fef5266844aacf443abc # Repository to use by default for fetching dependencies. m2.repo=http://repo1.maven.org/maven2/ +# hashes of libraries loaded over insecure connections +netrexx.sha256=1f99f054e9b1e412d29823088f3fa7cfce90a7af25d907a60a6d7908a6b97ea4 + # Versions of different libraries. Please keep in alphabetical order, except # when a specific dependency forces them to be out-of-order ivy.version=2.4.0