Closed t895 closed 6 months ago
It's not guaranteed that these regexes won't match compile-time dependencies. It would be more reliable to add hashes of these files instead.
Why not just change the regexes in the future if this becomes a problem? As I understand it, you currently just run the autogeneration command for verification-metadata.xml
and that doesn't automatically write information about the files that I have excluded here. Since afaik there's no way to manually tell gradle to generate information on these files either, it just adds a ton of manual work every time there's a dependency update.
Also, if the gradle team recommends this solution themselves, is this conflict even likely to happen?
How would we know that these regexes became a problem?
After you update dependencies and generate the updated verification-metadata.xml
, if the build fails due to a missing checksum related to a file that matches one of the patterns that I added, then you know there's a problem with the regexes.
It's not guaranteed that these regexes won't match compile-time dependencies.
That's the problem that I was referring to. These regexes might lead to skipped verification of compile-time dependencies. Also, any dependency can be conceivably replaced with a malicious version, even if that dependency doesn't affect app compilation.
Oh I'm sorry, I somehow misread that.
You're right then. There's no way to know that an added dependency will match this regex even though it's unlikely.
Now, without this change, you really can't operate on this project with Android Studio so I'll just make a script to ignore these checks or delete the verification-metadata.xml
file while I work on this locally.
If I find that Gradle / IntelliJ has a better way to control this behavior, I'll open another PR.
When these files are left untrusted, gradle sync would fail in Android Studio. The only files that we need to be verified are the compiled libraries that we're pulling.
Taken from the gradle documentation - https://docs.gradle.org/8.7/userguide/dependency_verification.html#sec:skipping-javadocs