JVM builds have lived with “duplicate classes on the classpath” for years. Most of the time, it’s an annoying source of NoSuchMethodError or a “why did production suddenly break when I reordered dependencies?” kind of bug.
Great article. Given that you mentioned that they are using the same package and class name. It would have been nice if you had at least given jpms an honorable mention because guess what you can’t do with jpms at all… it’s not the most pragmatic solution today, but I think we should be pushing people in that direction for reasons including this
Shame that Gradle itself doesn’t have even the basic support in its jars for jpms.
Out of curiosity, are Gradle plugins sha-ed and signed by default? If not they really should be
It is mentioned, as “Java Modules” 
Listen. You and I both know I can’t (Don’t)read 
seriously though I did miss it…
The more I’ve been thinking about it, the more I’m concerned that Gradle is actually vulnerable to the exact same kinds of attacks that node is currently going through. Largely because the worm is not just a supply chain attack but it’s a attack on the CI CD pipeline. The reason I say Gradle itself is vulnerable is because of how gradles plugins work. If you update a Gradle plug-in that’s been infected, you’re going to have exactly the same problem.
I do not actually think that Gradle plugins are signed either, not that that would necessarily help because a lot of people sign things now using the CI CD pipeline.
The only two things I can think that would help this problem in the Java community is… Post publish approval… while the Gradle team itself requires approval for first-time publishing, which helps if your pipeline gets infected it wouldn’t help. Now I’m not saying the Gradle team should review every single plugin published, but perhaps there should be a Send me an email and click the link to confirm the publication.
Another thought is that maybe we need to validate our jars in some way better. I’ve been thinking about seeing if there is a way for me to build a sha sum on my local computer of the jar that matches what CI builds and then perhaps throwing that into a signed annotated tag (But that sounds like a lot of work).