Uploaded image for project: 'Aurora'
  1. Aurora
  2. AURORA-616

Consider using gradle-witness to verify dependencies

    XMLWordPrintableJSON

Details

    • Story
    • Status: Resolved
    • Trivial
    • Resolution: Won't Fix
    • None
    • None
    • Build, Scheduler, Security

    Description

      gradle-witness [1] aims to provide insulation against MITM attacks via maven dependency downloads. From the looks of things, it would require a pretty small amount of upfront work and upkeep to integrate this and prevent injection of rogue code.

      [1] https://github.com/whispersystems/gradle-witness

      Attachments

        Issue Links

          is cloned by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. AURORA-1997 Consider using checksum-dependency-plugin for dependency verification

          • Trivial - Cosmetic problem like misspelt words or misaligned text.
          • Closed
          is related to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. AURORA-618 Pin cryptographic checksums of python requirements

          • Major - Major loss of function.
          • Resolved

          Task - A task that needs to be done. AURORA-620 Consider using JCenter over HTTPS instead of Maven Central

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              wfarner Bill Farner
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: