groovy-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Gilligan <s...@msgilligan.com>
Subject Re: Release Apache Groovy 2.4.7
Date Sat, 04 Jun 2016 17:36:42 GMT
On 6/4/16 2:54 AM, Russel Winder wrote:
>
> For those who download and check signatures, SHA1 and MD5 are
> unreliable and provide very weak confidence.
>
> I am not sure what stance Gradle, Maven, and Ant take on signature
> checking, do they do any signature checking at all?


The only signature checking I know of in Gradle uses a SHA-256 hash to
check the signature of Gradle itself when downloaded by the wrapper jar.
I asked about this on the Gradle forum last October and am still waiting
for a response:
https://discuss.gradle.org/t/jar-validation-via-hashes-or-signatures/12238

I don't think there is any hash checking included in Maven, but I'm
generally a Gradle user.

WhisperSystems (who make Signal, a secure messaging app for Android) has
created the Gradle Witness Plugin which also uses SHA-256:
https://github.com/WhisperSystems/gradle-witness

bitcoinj (which is used to store private keys that can spend virtual
currency) use some custom rules (only SHA-1, unfortunately) for the
Maven Enforcer Plugin:

https://github.com/gary-rowe/BitcoinjEnforcerRules
http://maven.apache.org/enforcer/maven-enforcer-plugin/
(Note: there is some talk on the bitcoinj mailing list about switching
to Gradle)

It would be great to see Groovy releases publish SHA-256 hashes that can
be checked with the Gradle Witness Plugin (or perhaps upgraded SHA-256
rules for Maven enforcer)

-- Sean


Mime
View raw message