commit 2474956d087e802a2d1143e7ca6d2890470a8633 Author: Matthew Finkel <sysrqb@torproject.org> Date: Thu Dec 3 19:17:46 2020 +0000 Bug 40163: Avoid checking hash of .pom files A pom file of hosted third-party dependencies may be modified at any time after publication. These files contain metadata about a version of a repository. We avoid computing and verifying the hash of downloaded .pom files that are listed in a project's gradle-dependencies-list.txt because they change unpredictably. This should be safe while the .pom file is not modified in such a way that it is rejected by gradle and while we still check the hash of non-.pom files. --- projects/common/fetch-gradle-dependencies | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/projects/common/fetch-gradle-dependencies b/projects/common/fetch-gradle-dependencies index 0acd38a..9f18302 100644 --- a/projects/common/fetch-gradle-dependencies +++ b/projects/common/fetch-gradle-dependencies @@ -10,7 +10,11 @@ m2dir="$(mktemp -d)" artifact_filename=$(basename "$artifact_path") artifact_dirname=$(dirname "$artifact_path") [% GET c("urlget", { filename => 'downloaded_file', URL => artifact.url}); %] - echo "[% artifact.sha256sum %] downloaded_file" | sha256sum -c + # .pom files may be modified after a version is published, therefore verify + # the hash only if the file name does not end with '.pom'. + if ! echo "$artifact_filename" | grep -q '\.pom$'; then + echo "[% artifact.sha256sum %] downloaded_file" | sha256sum -c + fi mkdir -p "$m2dir/$artifact_dirname" mv -f downloaded_file "$m2dir/$artifact_dirname/$artifact_filename" [% END -%]