search

datatheorem / TrustKit-Android

Easy SSL pinning validation and reporting for Android.
MIT License
583 stars 87 forks source link

Not repeatable builds since migrating to maven central #85

Closed calvarez-ov closed 3 years ago

calvarez-ov commented 3 years ago

Describe the bug Our builds are failing since this morning, because of an apparent change in the pom dependencies from trust kit. We have a check in our build to be sure we know of all dependencies that are pulled into our project transitively. It started failing today because there's a new transitive dependency being pulled in by trustkit: androidx.legacy:legacy-support-v4.

To Reproduce Steps to reproduce the behavior. Look at the pom file on jcenter. There are no <dependencies>:

<?xml version="1.0" encoding="UTF-8"?>
<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <modelVersion>4.0.0</modelVersion>
  <groupId>com.datatheorem.android.trustkit</groupId>
  <artifactId>trustkit</artifactId>
  <version>1.1.3</version>
  <packaging>aar</packaging>
  <name>TrustKit-Android</name>
  <description>TrustKit Android is an open source library that makes it easy to deploy SSL public key pinning and reporting in any Android App.</description>
  <url>https://github.com/datatheorem/TrustKit-Android</url>
  <licenses>
    <license>
      <name>The MIT License (MIT)</name>
      <url>https://github.com/datatheorem/TrustKit-Android/blob/master/LICENSE</url>
    </license>
  </licenses>
  <developers>
    <developer>
      <id>nabla-c0d3</id>
      <name>Alban Diquet</name>
      <email>ad@datatheorem.com</email>
    </developer>
    <developer>
      <id>jobot0</id>
      <name>Jordan Bouellat</name>
      <email>jb@datatheorem.com</email>
    </developer>
  </developers>
  <scm>
    <connection>https://github.com/datatheorem/TrustKit-Android</connection>
    <developerConnection>https://github.com/datatheorem/TrustKit-Android</developerConnection>
    <url>https://github.com/datatheorem/TrustKit-Android</url>
  </scm>
</project>

Look at the pom file on maven central. There are three <dependency>s:

...
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <modelVersion>4.0.0</modelVersion>
  <groupId>com.datatheorem.android.trustkit</groupId>
  <artifactId>trustkit</artifactId>
  <version>1.1.3</version>
  <packaging>aar</packaging>
  <name>trustkit</name>
  <description>TrustKit Android SDK</description>
  <url>https://github.com/umangmathur92/TrustKit-Android</url>
  <licenses>
    <license>
      <name>The MIT License (MIT)</name>
      <url>https://github.com/umangmathur92/TrustKit-Android/blob/master/LICENSE</url>
    </license>
  </licenses>
  <developers>
    <developer>
      <id>nabla-c0d3</id>
      <name>Alban Diquet</name>
      <email>ad@datatheorem.io</email>
    </developer>
    <developer>
      <id>umangmathur92</id>
      <name>Umang Mathur</name>
      <email>um@datatheorem.io</email>
    </developer>
  </developers>
  <scm>
    <connection>scm:git:github.com/umangmathur92/TrustKit-Android.git</connection>
    <developerConnection>scm:git:ssh://github.com/umangmathur92/TrustKit-Android.git</developerConnection>
    <url>https://github.com/umangmathur92/TrustKit-Android/tree/main</url>
  </scm>
  <dependencies>
    <dependency>
      <groupId>androidx.annotation</groupId>
      <artifactId>annotation</artifactId>
      <version>1.0.0</version>
    </dependency>
    <dependency>
      <groupId>androidx.legacy</groupId>
      <artifactId>legacy-support-v4</artifactId>
      <version>1.0.0</version>
    </dependency>
    <dependency>
      <groupId>androidx.preference</groupId>
      <artifactId>preference</artifactId>
      <version>1.0.0</version>
    </dependency>
  </dependencies>
</project>

Expected behavior For the same version of the library (1.1.3), the dependencies should be identical, regardless of whether the library is hosted on jcenter or maven central.

Actual behavior: dependencies are different.

umangmathur92 commented 3 years ago

androidx.annotation and androidx.preference not getting added to the dependencies node of the pom file was a bug. Also, realized that androidx.legacy:legacy-support-v4 was not being used anywhere in the project - removed it.

Agreed, that for the same version of the library - dependencies should be identical. Will ensure that doesn't happen going forward.

Version 1.1.5 is now live on MavenCentral.