<blockquote>
<p>If someone replaces the plugin with a hostile version that just does not check anything, how will that be detected?</p>
</blockquote>
<p>Checksumming is done by an added code in settings.gradle.kts:  <a href="https://github.com/bisq-network/bisq/pull/3051/files#diff-88b7c47e47b8ee65263b6784b86fa0a7R30-R39">https://github.com/bisq-network/bisq/pull/3051/files#diff-88b7c47e47b8ee65263b6784b86fa0a7R30-R39</a><br>
The plugin is not used to checksum itself.</p>
<p>The sequence is as follows:</p>
<ol>
<li>Dependency is declared</li>
<li>Dependency is resolved (jar file is downloaded) by <code>buildscript.configurations.classpath.resolve()</code></li>
<li>It is verified for the checksum</li>
<li>Then the plugin is applied</li>
</ol>
<p>I probably need to add an explicit test to <code>checksum-dependency-plugin</code> codebase (to ensure that holds for further Gradle versions), however I did try to add a static initializer block to the plugin to see if it could execute before checksum verification, and the outcome is static initializer is NOT executed before checksumming (at least in Gradle 5.5.1)</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/bisq-network/bisq/pull/3051?email_source=notifications&email_token=AJFFTNTJWIA2U64GWPC6OWLQDAZCZA5CNFSM4IJCTBL2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3R6WIQ#issuecomment-518253346">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AJFFTNXN4XP6JHSEZ7APFZTQDAZCZANCNFSM4IJCTBLQ">mute the thread</a>.<img src="https://github.com/notifications/beacon/AJFFTNXLKU44VZOM6TBTVGDQDAZCZA5CNFSM4IJCTBL2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3R6WIQ.gif" height="1" width="1" alt="" /></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/bisq-network/bisq/pull/3051?email_source=notifications\u0026email_token=AJFFTNTJWIA2U64GWPC6OWLQDAZCZA5CNFSM4IJCTBL2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3R6WIQ#issuecomment-518253346",
"url": "https://github.com/bisq-network/bisq/pull/3051?email_source=notifications\u0026email_token=AJFFTNTJWIA2U64GWPC6OWLQDAZCZA5CNFSM4IJCTBL2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3R6WIQ#issuecomment-518253346",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>