aurora-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jake Farrell (JIRA)" <>
Subject [jira] [Commented] (AURORA-616) Consider using gradle-witness to verify dependencies
Date Thu, 31 Jul 2014 18:31:38 GMT


Jake Farrell commented on AURORA-616:

I played with this a little bit last night and ran into an issue with adding witness as a
dependency in the build_script as a compile(project: ) as this is not supported in gradle
(chicken-egg problem documented on gradle dev forums). I think the best approach will be to
add the src to build-support and compile and place the jar in the gradle folder. we can then
exclude this from the source dist and add a bootstrap step which will compile this before
generating the gradlew or adding any other deps we have (bower components etc)


> Consider using gradle-witness to verify dependencies
> ----------------------------------------------------
>                 Key: AURORA-616
>                 URL:
>             Project: Aurora
>          Issue Type: Story
>          Components: Build, Scheduler, Security
>            Reporter: Bill Farner
>            Priority: Trivial
>              Labels: newbie
> gradle-witness \[1\] aims to provide insulation against MITM attacks via maven dependency
downloads.  From the looks of things, it would require a pretty small amount of upfront work
and upkeep to integrate this and prevent injection of rogue code.
> \[1\]

This message was sent by Atlassian JIRA

View raw message