Add checksum-dependency-plugin for verification of plugin/dependency checksums

[vlsi]

checksum-dependency-plugin is a superset of gradle-witness, and it enables to increase the level of security.

See https://github.com/vlsi/vlsi-release-plugins#checksum-dependency-plugin

Signed-off-by: Vladimir Sitnikov sitnikov.vladimir@gmail.com

[mvmike]

I see no need of checking checksums of all libs since both repositories used in this project (jcenter and google) are accessed through https

[vlsi]

Ok, I see your point.

By the way, here's an explanation why https is not enough: https://medium.com/@vladimirsitniko/dependency-verification-checksum-vs-pgp-582e76207019?sk=7485298b76eaf9f935b899b002f4c3b5

Here's a case with JCenter: https://blog.autsoft.hu/a-confusing-dependency/
Here's a case with NPM: https://news.ycombinator.com/item?id=14901566

[msgilligan]

https

both repositories used in this project (jcenter and google) are accessed through https

Using https only protects from tampering while in-transit. If someone hacks the server or manages to re-publish tampered binaries to the server that won't be detected/prevented by https.

[mvmike]

Got the point. Still, it only helps if the file is tampered after being upgraded on the project along with its checksum (many of the checksums added to the PR are not officially published by their respective owners).

I'm aware that from the security perspective we should always be aiming for risk reduction, I just think that this is covering a single and very un-probable scenario thus making it not worth the effort.