[bisq-network/bisq] Update gradle-witness.jar (#1901)

Fri Nov 9 20:59:09 UTC 2018

Thanks, @devinbileck. To be cautious, we should think about how we know that updates to this jar are legit. For example, I just built the jar against the same commit using Gradle 4.10.2 / OpenJDK 10.0.2 and got the following result:

```
$ sum build/libs/gradle-witness.jar
54082 18 build/libs/gradle-witness.jar
```

Whereas when I sync up to your PR branch and run the same checksum, I get a different value:

```
$ sum gradle/witness/gradle-witness.jar
57838 18 gradle/witness/gradle-witness.jar
```

So, while I trust you simply built the jar as you claim, there's no way of knowing right now that it's actually a representation of the sources at that commit. i.e. it could contain a trojan horse.

Ideally, we should set up Travis CI in our new gradle-witness fork and print out a checksum at the end of the build, so that we have something objective to check against when the jar it produces is checked in here. That assumes that building this jar is deterministic under the same Gradle / JDK, and I think it should be. I unzipped the jar and checked for properties files with dates in them, etc, and I didn't see anything. So it should be possible to get the exact same checksum on different machines and operating systems.

In the meantime, let's just see if we can align on the same checksum between our two versions of the jar. Did you build with Gradle 4.10.2 / OpenJDK 10.0.2 as well? I'm committing a Gradle wrapper pinned to 4.10.2 to make it a little easier.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/1901#issuecomment-437493277
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20181109/a136e1af/attachment.html>