Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add checksum-dependency-plugin for verification of plugin/dependency checksums #23615

Closed
wants to merge 1 commit into from
Closed

Add checksum-dependency-plugin for verification of plugin/dependency checksums #23615

wants to merge 1 commit into from

Conversation

vlsi
Copy link
Contributor

@vlsi vlsi commented Sep 10, 2019
edited
Loading

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Sep 10, 2019
@vlsi
Add checksum-dependency-plugin for verification of plugin/dependency …
94b5a42 
…checksums

`checksum-dependency-plugin` is a superset of `gradle-witness`, and it enables to increase the level of security.

See https://github.com/vlsi/vlsi-release-plugins#checksum-dependency-plugin
@vlsi
Copy link
Contributor Author

vlsi commented Dec 24, 2019

Hi, I see the PR has not been reviewed much yet :)

You might be interested that Gradle 6.2 introduces in-core dependency verification

The documentation can be reviewed here: gradle/gradle#11755

From what I know Gradle would cover more cases when compared with checksum-dependency-plugin. For instance, it will be able to verify pom.xml which are implicitly fetched by Gradle when resolving transitive dependencies and probably other cases.

Some bits can be previewed in the current release candidates, release nightly builds and master nightly builds (see https://gradle.org/releases/ )

It would be nice if you could preview the feature and provide your feedback.

@bclozel
Copy link
Member

bclozel commented Sep 26, 2022

Spring Framework has many optional dependencies and maintaining a verification-metadata.xml file that's over 330K big is not really manageable. In the meantime we've seen that sigstore (and it seems you're contributing there) is trying a different approach.

We're generally interested in this theme but we don't think the current approach will fit our project. We'll keep an eye on alternate solutions. Thanks!

@bclozel bclozel closed this Sep 26, 2022
@bclozel bclozel added type: task A general task status: declined A suggestion or change that we don't feel we should currently apply and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Sep 26, 2022
@vlsi
Copy link
Contributor Author

vlsi commented Sep 26, 2022

@bclozel , sigstore won't be much different by the way.

In a nutshell:

  • PGP: "we maintain a list of PGP keys and checksums we trust. The PGP key id for each dependency is taken from the official website"
  • Sigstore: "we trust logback if the artifact was built with GitHub Action release.yaml running in github.com/qos-ch/logback repository"

In both cases, the amount of metadata is pretty much the same, and the main difference would be that "PGP key ids are unreadable" while "GitHub Action release.yaml running in github.com/qos-ch/logback repository" would be pretty-much understandable by humans.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
status: declined A suggestion or change that we don't feel we should currently apply type: task A general task
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@vlsi @bclozel @spring-projects-issues