groovy-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Gilligan <>
Subject Re: Release Apache Groovy 2.4.7
Date Sat, 04 Jun 2016 17:36:42 GMT
On 6/4/16 2:54 AM, Russel Winder wrote:
> For those who download and check signatures, SHA1 and MD5 are
> unreliable and provide very weak confidence.
> I am not sure what stance Gradle, Maven, and Ant take on signature
> checking, do they do any signature checking at all?

The only signature checking I know of in Gradle uses a SHA-256 hash to
check the signature of Gradle itself when downloaded by the wrapper jar.
I asked about this on the Gradle forum last October and am still waiting
for a response:

I don't think there is any hash checking included in Maven, but I'm
generally a Gradle user.

WhisperSystems (who make Signal, a secure messaging app for Android) has
created the Gradle Witness Plugin which also uses SHA-256:

bitcoinj (which is used to store private keys that can spend virtual
currency) use some custom rules (only SHA-1, unfortunately) for the
Maven Enforcer Plugin:
(Note: there is some talk on the bitcoinj mailing list about switching
to Gradle)

It would be great to see Groovy releases publish SHA-256 hashes that can
be checked with the Gradle Witness Plugin (or perhaps upgraded SHA-256
rules for Maven enforcer)

-- Sean

View raw message