[ https://issues.apache.org/jira/browse/AURORA-1997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Renan DelValle closed AURORA-1997. ---------------------------------- Resolution: Later Hello [~vladimirsitnikov], While we appreciate your suggestions, there are currently no plans to integrate this plug in on our roadmap. In a perfect world this would be a priority, but we simply don't have the dev power right now upgrade to Gradle 6.x which makes integrating with this plugin a serious challenge. If you believe you can help us upgrade to Gradle 6.x we would be extremely grateful for a pull request on github: [https://github.com/apache/aurora] Until then, unfortunately, I will have to close without a promise of getting to it in the future. -Renan > Consider using checksum-dependency-plugin for dependency verification > --------------------------------------------------------------------- > > Key: AURORA-1997 > URL: https://issues.apache.org/jira/browse/AURORA-1997 > Project: Aurora > Issue Type: Story > Components: Build, Scheduler, Security > Reporter: Vladimir Sitnikov > Priority: Trivial > Labels: newbie > > {{checksum-dependency-plugin}} [1] is a superset of {{gradle-witness}}, and > it enables to increase the level of security. > Key features: > * Gradle plugins can be verified (grade-witness doesn't track plugins) > * All Gradle configurations are supported (e.g. `java-library` plugin is > supported). `checksum-dependency-plugin` intercepts detached configurations > as well (e.g. the ones that are created on demand) > * PGP can be used for verification. PGP can be used with or without > checksum. PGP enables to detect and prevent issues like > [https://blog.autsoft.hu/a-confusing-dependency/] > {{checksum-dependency-plugin}} aims to provide insulation against MITM > attacks via maven dependency downloads. > It is trivial to integrate, and it is not that hard to maintain (e.g. > updated checksum.xml could be updated automatically) > [1] > [https://github.com/vlsi/vlsi-release-plugins/tree/master/plugins/checksum-dependency-plugin] -- This message was sent by Atlassian Jira (v8.3.4#803005)