Open vlsi opened 3 years ago
/cc @JLLeitschuh
Gradle distribution validation might be relevant as well: https://github.com/gradle/actions/issues/286
Such improvement should be offered for the Maven and Jbang wrappers as well.
Of course, if you think it is worth integrating the verification to gm
, then it would be great to integrate it for all the build systems.
Before doing it on gm
the question is why don't the original tools provide such verification ootb? I know gradle does it with a Github Action on CI. Does it work with other CIs as well? Can the gradle
or gradlew
commands perform the check? Is it secure to do so or does this verification requires another party?
gm
is the tool for end-users rather than a CI tool, so I guess CI questions are irrelevant here
Can the gradle or gradlew commands perform the check?
The key question here is: do you trust gradlew
to validate itself?
What do you think if
gm
verifies the checksum ofgradle/wrapper/gradle-wrapper.jar
file?Of course, it won't make the build completely secure (e.g. a malicious repository could augment
gradlew
to use a different jar for classpath), however it might improve things since text files (e.g. build scripts, batch scripts are easier to review than binary jars).An alternative (or additional) option is to verify the integrity of
gradlew
andgradlew.bat
(e.g. hard-code well-known good checksums)An alternative option is to use
gw
-controlled set ofgradlew
executables (andgradle-wrapper.jar
) sogw
uses a trusted wrapper.