Closed vlsi closed 5 years ago
I see no need of checking checksums of all libs since both repositories used in this project (jcenter
and google
) are accessed through https
Ok, I see your point.
By the way, here's an explanation why https is not enough: https://medium.com/@vladimirsitniko/dependency-verification-checksum-vs-pgp-582e76207019?sk=7485298b76eaf9f935b899b002f4c3b5
Here's a case with JCenter: https://blog.autsoft.hu/a-confusing-dependency/ Here's a case with NPM: https://news.ycombinator.com/item?id=14901566
https
both repositories used in this project (
jcenter
andhttps
Using https
only protects from tampering while in-transit. If someone hacks the server or manages to re-publish tampered binaries to the server that won't be detected/prevented by https.
Got the point. Still, it only helps if the file is tampered after being upgraded on the project along with its checksum (many of the checksums added to the PR are not officially published by their respective owners).
I'm aware that from the security perspective we should always be aiming for risk reduction, I just think that this is covering a single and very un-probable scenario thus making it not worth the effort.
checksum-dependency-plugin
is a superset ofgradle-witness
, and it enables to increase the level of security.See https://github.com/vlsi/vlsi-release-plugins#checksum-dependency-plugin
Signed-off-by: Vladimir Sitnikov sitnikov.vladimir@gmail.com