[bisq-network/bisq] Add checksum-dependency-plugin to verify plugin and dependency checksums (#3051)

Vladimir Sitnikov notifications at github.com
Mon Aug 5 14:18:20 UTC 2019

> If someone replaces the plugin with a hostile version that just does not check anything, how will that be detected?

Checksumming is done by an added code in settings.gradle.kts:  https://github.com/bisq-network/bisq/pull/3051/files#diff-88b7c47e47b8ee65263b6784b86fa0a7R30-R39
The plugin is not used to checksum itself.

The sequence is as follows:
1) Dependency is declared
2) Dependency is resolved (jar file is downloaded) by `buildscript.configurations.classpath.resolve()`
3) It is verified for the checksum
4) Then the plugin is applied

I probably need to add an explicit test to `checksum-dependency-plugin` codebase (to ensure that holds for further Gradle versions), however I did try to add a static initializer block to the plugin to see if it could execute before checksum verification, and the outcome is static initializer is NOT executed before checksumming (at least in Gradle 5.5.1)

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20190805/6398abe2/attachment.html>

More information about the bisq-github mailing list