mvmike
commented
5 years ago I see no need of checking checksums of all libs since both repositories used in this project (jcenter and google) are accessed through https
Closed vlsi closed 5 years ago
mvmike
commented
5 years ago I see no need of checking checksums of all libs since both repositories used in this project (jcenter and google) are accessed through https
vlsi
commented
5 years ago Ok, I see your point.
By the way, here's an explanation why https is not enough: https://medium.com/@vladimirsitniko/dependency-verification-checksum-vs-pgp-582e76207019?sk=7485298b76eaf9f935b899b002f4c3b5
Here's a case with JCenter: https://blog.autsoft.hu/a-confusing-dependency/ Here's a case with NPM: https://news.ycombinator.com/item?id=14901566
msgilligan
commented
5 years ago https
both repositories used in this project (
jcenterandhttps
Using https only protects from tampering while in-transit. If someone hacks the server or manages to re-publish tampered binaries to the server that won't be detected/prevented by https.
mvmike
commented
5 years ago Got the point. Still, it only helps if the file is tampered after being upgraded on the project along with its checksum (many of the checksums added to the PR are not officially published by their respective owners).
I'm aware that from the security perspective we should always be aiming for risk reduction, I just think that this is covering a single and very un-probable scenario thus making it not worth the effort.
checksum-dependency-pluginis a superset ofgradle-witness, and it enables to increase the level of security.See https://github.com/vlsi/vlsi-release-plugins#checksum-dependency-plugin
Signed-off-by: Vladimir Sitnikov sitnikov.vladimir@gmail.com