search

SecUSo / privacy-friendly-passwordgenerator

Privacy Friendly App that deterministically generates passwords from parameters and a master password.
https://secuso.org/pfa
GNU General Public License v3.0
45 stars 16 forks source link

insecure gradlew #25

Closed IzzySoft closed 5 years ago

IzzySoft commented 5 years ago

Just a minor adjustment, but could you please fix the gradle conf:

Found plain HTTP URL for gradle repository:
build/org.secuso.privacyfriendlypasswordgenerator/app/build.gradle
repositories{
    maven {
        url 'http://dl.bintray.com/amulyakhare/maven'
    }
gradle build uses plain HTTP URLs for repositories!  This is insecure!
https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/
ERROR: Job failed: exit code 1

(fdroid build complains, pipeline breaks) Fix should be as easy as replacing http by https (URL works then) – but not being an Android dev I cannot verify that.

Thanks!

IzzySoft commented 5 years ago

Thanks!

Kamuno commented 5 years ago

Just realized I didn't do it correctly the first time. Should be fixed now. I somehow assumed the Issue was about the checksum not being correct (which it wasn't) because "insecure gradlew" is the tag set for exactly this problem on fdroid.

Should be fixed now .. also increased the version number.

IzzySoft commented 5 years ago

No, the problem I reported here was the plain http url which should be https. And that's fixed now with 46ea9d5588073f53fca32a4fe0f3bc3addbe0ca3 as I can see :wink: