This repository has been archived by the owner on Feb 12, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 60
extend to gradle plugins #10
Comments
Full ACK |
+1. It would also be nice to have a tool or "best practice" for validating the wrapper scripts and jars that bootstrap most builds. |
I created a topic on the Gradle forum that includes this issue: |
Really, the gradle-wrapper should validate what it downloads automatically,
whenever possible. That should be easy for any gradle binary, since those all
have a stable sha256 hash, and there are not very many of them (about 20?).
Those hashes just need to be included in gradle-wrapper and mapped to the
right file/URL.
|
Just in case: Gradle's Plugin: https://github.com/vlsi/vlsi-release-plugins#checksum-dependency-plugin Sample use: vlsi/vlsi-release-plugins@208734b The key idea is to add the plugin right into |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Since the whole gradle build process for Android relies on downloading plugins from jcenter, we really need a way to do what gradle-witness does, but for those plugins. @dschuermann already made it possible to have the gradle wrapper verify the sha256 of gradle binaries it downloads: gradle/gradle#448 The missing piece remains gradle plugins.
This is probably the most essential bit to verify:
The text was updated successfully, but these errors were encountered: