[tbb-commits] [tor-browser-build/master] Bug 40163: Avoid checking hash of .pom files
gk at torproject.org
gk at torproject.org
Fri Dec 4 07:55:05 UTC 2020
commit 2474956d087e802a2d1143e7ca6d2890470a8633
Author: Matthew Finkel <sysrqb at torproject.org>
Date: Thu Dec 3 19:17:46 2020 +0000
Bug 40163: Avoid checking hash of .pom files
A pom file of hosted third-party dependencies may be modified at any
time after publication. These files contain metadata about a version of
a repository. We avoid computing and verifying the hash of downloaded
.pom files that are listed in a project's gradle-dependencies-list.txt
because they change unpredictably. This should be safe while the .pom
file is not modified in such a way that it is rejected by gradle and
while we still check the hash of non-.pom files.
---
projects/common/fetch-gradle-dependencies | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/projects/common/fetch-gradle-dependencies b/projects/common/fetch-gradle-dependencies
index 0acd38a..9f18302 100644
--- a/projects/common/fetch-gradle-dependencies
+++ b/projects/common/fetch-gradle-dependencies
@@ -10,7 +10,11 @@ m2dir="$(mktemp -d)"
artifact_filename=$(basename "$artifact_path")
artifact_dirname=$(dirname "$artifact_path")
[% GET c("urlget", { filename => 'downloaded_file', URL => artifact.url}); %]
- echo "[% artifact.sha256sum %] downloaded_file" | sha256sum -c
+ # .pom files may be modified after a version is published, therefore verify
+ # the hash only if the file name does not end with '.pom'.
+ if ! echo "$artifact_filename" | grep -q '\.pom$'; then
+ echo "[% artifact.sha256sum %] downloaded_file" | sha256sum -c
+ fi
mkdir -p "$m2dir/$artifact_dirname"
mv -f downloaded_file "$m2dir/$artifact_dirname/$artifact_filename"
[% END -%]
More information about the tbb-commits
mailing list