New Checksum Plugin
So in my last post I was suggesting making it easier to include dependency checksums as part of a maven build. I decided that it should be simple enough to implement this as a Maven Plugin. For those of you interested, you can get the source to the new Checksum Plugin here.
The basic problem the plugin is trying to solve is that it is possible that central repositories get hacked and the artifacts/dependencies of our builds get replaced with
malicious versions. Right now we have no way to easily detect that
and we could potential create a release build of a project which
bundles one of those malicious dependencies. In practice this rarely
occurs, but it's not out of the realm of possibilities.
Basically the plugin supports generating a checksum.txt file that is included as part of the project build. This file holds all the checksums for the dependencies (including the dependencies' pom checksum). Generating/updating is induced via the use of a maven profile. This is only done when dependencies get updated.
In a normal build the plugin just validates the checksums of the downloaded dependencies against those stored in the checksum.txt file.
I wish I could move up the validation of the dependencies from their current maven life cycle locations, but it seems you can't get the list of dependencies it gets moved up any more. Any maven mojo hackers have any work arounds for that?
The basic problem the plugin is trying to solve is that it is possible that central repositories get hacked and the artifacts/dependencies of our builds get replaced with
malicious versions. Right now we have no way to easily detect that
and we could potential create a release build of a project which
bundles one of those malicious dependencies. In practice this rarely
occurs, but it's not out of the realm of possibilities.
Basically the plugin supports generating a checksum.txt file that is included as part of the project build. This file holds all the checksums for the dependencies (including the dependencies' pom checksum). Generating/updating is induced via the use of a maven profile. This is only done when dependencies get updated.
In a normal build the plugin just validates the checksums of the downloaded dependencies against those stored in the checksum.txt file.
I wish I could move up the validation of the dependencies from their current maven life cycle locations, but it seems you can't get the list of dependencies it gets moved up any more. Any maven mojo hackers have any work arounds for that?
posted by Hiram Chirino at
11:18 AM
3 Comments:
Nice :)
You can add @requiresDependencyResolution to the mojo annotations and use it as early as you like.
I would probably also split the common functionality into an abstract base mojo for less confusion rather than one extending the other.
By
brettporter, At
12:12 AM
What about if I rebuild the dependency locally? I guess that's a rare case.
BR,
Jukka Zitting
By
Jukka, At
4:28 AM
Brett, Thanks will update soon.
Jukka, actually no, not so rare when you consider that it happens every time in a reactor build. Since the checksum for those locally built dependencies will change with each built, you can specify that the checksum for that dependency is '*'.
The other odd bit is that the version number for reactor dependencies will change as part of the release process, so you can also use '*' for the dependency version number.
By
Hiram Chirino, At
9:00 AM
Post a Comment
<$I18N$LinksToThisPost>:
Create a Link
<< Home