[tor-commits] [tor-browser-build/maint-10.0-android] Bug 40163: Avoid checking hash of .pom files

[sysrqb at torproject.org]

commit c9dc3e2db6f952db44a5a01388c46c54d69f3221
Author: Matthew Finkel <sysrqb at torproject.org>
Date:   Thu Dec 3 19:17:46 2020 +0000

    Bug 40163: Avoid checking hash of .pom files
    
    A pom file of hosted third-party dependencies may be modified at any
    time after publication. These files contain metadata about a version of
    a repository. We avoid computing and verifying the hash of downloaded
    .pom files that are listed in a project's gradle-dependencies-list.txt
    because they change unpredictably. This should be safe while the .pom
    file is not modified in such a way that it is rejected by gradle and
    while we still check the hash of non-.pom files.
---
 projects/common/fetch-gradle-dependencies | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/projects/common/fetch-gradle-dependencies b/projects/common/fetch-gradle-dependencies
index 0acd38a..9f18302 100644
--- a/projects/common/fetch-gradle-dependencies
+++ b/projects/common/fetch-gradle-dependencies
@@ -10,7 +10,11 @@ m2dir="$(mktemp -d)"
     artifact_filename=$(basename "$artifact_path")
     artifact_dirname=$(dirname "$artifact_path")
     [% GET c("urlget", { filename => 'downloaded_file', URL => artifact.url}); %]
-    echo "[% artifact.sha256sum %]  downloaded_file" | sha256sum -c
+    # .pom files may be modified after a version is published, therefore verify
+    # the hash only if the file name does not end with '.pom'.
+    if ! echo "$artifact_filename" | grep -q '\.pom$'; then
+        echo "[% artifact.sha256sum %]  downloaded_file" | sha256sum -c
+    fi
     mkdir -p "$m2dir/$artifact_dirname"
     mv -f downloaded_file "$m2dir/$artifact_dirname/$artifact_filename"
 [% END -%]