Safety of Gradle distributions?


(Jesper Skov) #1

When I launched Gradle 3.4 for the first time, my Windows 7 box blacked out. Instant death.

Nothing could be found on it, so it was probably just an unfortunate coincidence.

But since then, I have a very bad feeling whenever I download a new release.
Which is a shame, because I look forward to testing the new release.

Searching the forums shows that I am not alone:



I would really like for the release note to include SHA2±sums for the distribution archives.

It might not be the best solution (that would be signing), but it should be such a small effort to implement that it is hard (for an outsider) to understand, why it has still not been done.

Cue crickets…


(Diogo Pereira) #2

What I don’t understand is why the wrapper task doesn’t set the distributionSha256Sum property automatically. Seems like a no-brainer to me.


(Pepper Lebeck-Jobe) #3

We now publish sha256 checksums with every release. We’ve also backfilled the data for older releases.


(Jesper Skov) #4

Good stuff!

Thanks! :smiley:


(Jesper Skov) #5

Uh, I spoke too soon.

I guess it is better than nothing.

But the checksums should really be included in the release notes.

As it is now, the file containing the checksum is placed right next to the release archive.

Anyone capable of replacing the release archive with nasty stuff, probably has the wits to also replace the checksum file.

Sorry,
Jesper


(Pepper Lebeck-Jobe) #6

What’s special about the release notes? They are also hosted on our web infrastructure (like the distributions and the current location of the checksum files.)


(Jesper Skov) #7

Nothing special about the release notes. My bad.

But somewhere different than where the archives are placed.

Many other places I download from use some third-party file service for distribution of archives, but host their web locally. Hence my suggestion.