Hi Michael,
For using SHA256 instead of SHA1, since we did not release it yet, why not
beginning with 18.12.01?
Even for 17.12.07 I'd say, why waiting a tiny but possible vulnerability?
Switching from SHA1 to SHA256 is easily done, no?
It's not exactly the same case, but in init-gradle-wrapper.ps1 if the checksum
fails the downloaded file is deleted.
It seems to me that there is a (very small, but real) chance that if shasum command is not installed the downloaded file could be dangerous and should
be deleted (disclaimer: I did not check if it's done, just reported Vladimir's concern)
My 2cts
Le 11/04/2021 à 15:31, Michael Brohl a écrit :
Hi Jacques,
why should we change the checksum algorithm now, for this release? I would
leave it as is and introduce another one beginning with trunk.
For the shasum part: the program is needed for the checks, like other programs (curl/wget, grep, whereis) are needed also. The script clearly states
that when shasum is missing. I see no problem with that.
Best regards,
Michael Brohl
ecomify GmbH - www.ecomify.de
Am 10.04.21 um 14:16 schrieb [email protected]:
Hi,
I think we should at least discuss the 2 points below before releasing 17.12.07
Thanks
Jacques
Le 10/04/2021 à 14:10, [email protected] a écrit :
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release17.12 by this push:
new 564b605 Improved: Replace Bintray by a new place to upload the
Gradle Wrapper (OFBIZ-12192)
564b605 is described below
commit 564b605d5509cd85f8d7b6355b4ebe62280e5686
Author: Jacques Le Roux <[email protected]>
AuthorDate: Sat Apr 10 14:10:43 2021 +0200
Improved: Replace Bintray by a new place to upload the Gradle Wrapper
(OFBIZ-12192)
The checksum part was missing in Windows init-gradle-wrapper.ps1
script
I have noticed 2 points:
1. We should use SHA256, not SHA1
2. The unix-like shell script in OFBiz misses checksum verification in case
shasum command is not installed. In other words, if I launch the script it
would
fail with "shasum not found, the downloaded files could not be verified".
However, the file will be kept there, so the user could launch unverified
jar.
Last point was reported by Vladimir Sitnikov at LEGAL-288
---
gradle/init-gradle-wrapper.ps1 | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/gradle/init-gradle-wrapper.ps1 b/gradle/init-gradle-wrapper.ps1
index c4911bd..2401147 100644
--- a/gradle/init-gradle-wrapper.ps1
+++ b/gradle/init-gradle-wrapper.ps1
@@ -25,6 +25,14 @@ If ($ExecutionContext.SessionState.LanguageMode -eq
"ConstrainedLanguage") {
Invoke-WebRequest -outf gradle\wrapper\gradle-wrapper.jar
https://github.com/gradle/gradle/raw/v4.5.1/gradle/wrapper/gradle-wrapper.jar
}
+$expected = "00d0743607178962f8b120da4ccad2c64c698aec"
+$actual = (Get-FileHash gradle\wrapper\gradle-wrapper.jar -Algorithm
SHA1).Hash.ToLower()
+@{$true = 'OK: Checksum match'; $false = "ERROR: Checksum mismatch!`nExpected:
$expected`nActual: $actual"}[$actual -eq $expected]
+
+if (!$true) {
+ Remove-Item gradle\wrapper\gradle-wrapper.jar
+ }
+
#Write-Host $ExecutionContext.SessionState.LanguageMode
Start-Sleep -s 3
