[jira] [Closed] (AURORA-1997) Consider using checksum-dependency-plugin for dependency verification

Thu, 26 Dec 2019 12:30:56 -0800 


     [ 
https://issues.apache.org/jira/browse/AURORA-1997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Renan DelValle closed AURORA-1997.
----------------------------------
    Resolution: Later

Hello [~vladimirsitnikov],

While we appreciate your suggestions, there are currently no plans to integrate 
this plug in on our roadmap.

In a perfect world this would be a priority, but we simply don't have the dev 
power right now upgrade to Gradle 6.x which makes integrating with this plugin 
a serious challenge.

If you believe you can help us upgrade to Gradle 6.x we would be extremely 
grateful for a pull request on github: [https://github.com/apache/aurora]

Until then, unfortunately, I will have to close without a promise of getting to 
it in the future.

-Renan

> Consider using checksum-dependency-plugin for dependency verification
> ---------------------------------------------------------------------
>
>                 Key: AURORA-1997
>                 URL: https://issues.apache.org/jira/browse/AURORA-1997
>             Project: Aurora
>          Issue Type: Story
>          Components: Build, Scheduler, Security
>            Reporter: Vladimir Sitnikov
>            Priority: Trivial
>              Labels: newbie
>
> {{checksum-dependency-plugin}} [1] is a superset of {{gradle-witness}}, and 
> it enables to increase the level of security.
> Key features:
>  * Gradle plugins can be verified (grade-witness doesn't track plugins)
>  * All Gradle configurations are supported (e.g. `java-library` plugin is 
> supported). `checksum-dependency-plugin` intercepts detached configurations 
> as well (e.g. the ones that are created on demand)
>  * PGP can be used for verification. PGP can be used with or without 
> checksum. PGP enables to detect and prevent issues like 
> [https://blog.autsoft.hu/a-confusing-dependency/]
> {{checksum-dependency-plugin}} aims to provide insulation against MITM 
> attacks via maven dependency downloads.
>  It is trivial to integrate, and it is not that hard to maintain (e.g. 
> updated checksum.xml could be updated automatically)
> [1] 
> [https://github.com/vlsi/vlsi-release-plugins/tree/master/plugins/checksum-dependency-plugin]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to