[jira] [Commented] (OFBIZ-12186) Dependency verification

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-12186) Dependency verification

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-12186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292125#comment-17292125 ]

ASF subversion and git services commented on OFBIZ-12186:
---------------------------------------------------------

Commit c2c609d8e4e94de1d932b80249613a628a3eccd9 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=c2c609d ]

Improved: Dependency verification  (OFBIZ-12186)

I just read an ASF members thread about this article:
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

One member mentioned that the Groovy project is using the Gradle's dependency
verification feature[1] in the Apache Groovy build.

I suggest we do the same, even after the move from JCenter to MavenCentral where
things should be safer.

[1] https://docs.gradle.org/current/userguide/dependency_verification.html

This commit includes:
The  verification-metadata.xml and verification-keyring.gpg used by the
verification task
*.gpg as binary in .gitattrubtes for verification-keyring.gpg

The documentation about the verification in sy-dependency-verification.adoc
with a link and some unrelated changes in security.adoc about security for
OFBiz in production
An empty line removed in build.gradle


> Dependency verification
> ------------------------
>
>                 Key: OFBIZ-12186
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12186
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: Gradle
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Priority: Major
>         Attachments: verification-metadata.xml
>
>
> I posted a related message in dev ML: https://markmail.org/message/55r5ycn2wrbotnbn:
> {quote}
> Hi,
> I just read a members thread about this article: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
> One member mentioned that the Groovy project is using the Gradle's dependency verification feature\[1] in the Apache Groovy build.
> I suggest we do the same, even after the move from JCenter to MavenCentral where things should be safer.
> What do you think?
> \[1] https://docs.gradle.org/current/userguide/dependency_verification.html 
> Jacques
> {quote}
> Note that dependency verification is an incubating feature. So we will wait before backporting from trunk...



--
This message was sent by Atlassian Jira
(v8.3.4#803005)