[bisq-network/bisq] Transitive dependencies creating version conflicts & missing jar verification (#4086)
cd2357
notifications at github.com
Mon May 17 14:31:00 CEST 2021
Same here, was also looking for alternatives.
Some of the issues with `gradle-witness` I found:
* it doesn't check transitive dependencies (signalapp/gradle-witness#33)
* it doesn't verify plugins, only dependencies (https://github.com/bisq-network/bisq/pull/5497#issuecomment-842226991)
* your issue described above
* far fewer hashes in `gradle-witness.gradle` than actual dependencies used in the build
Seems to give a false sense of security
Related older thread: https://github.com/bisq-network/bisq/issues/1897#issue-378601497
Main solutions I came across so far:
* https://github.com/vlsi/vlsi-release-plugins/tree/master/plugins/checksum-dependency-plugin
* From their README: _`Checksum Dependency Plugin` is probably the first plugin that is able to verify Gradle Plugins and
that is able to use PGP for trust-based verification._
* https://github.com/gradle/gradle/issues/10443
cc @bisq-network/bisq-devs : If you have other ideas, add as comments below.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/issues/4086#issuecomment-842285737
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20210517/f49351e5/attachment-0001.htm>
More information about the bisq-github
mailing list