Mirrors
/
open-keychain
mirror of https://github.com/open-keychain/open-keychain.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated Build Security (markdown)

Dominik Schürmann 2015-06-16 00:08:40 +02:00
parent cc5562c6ac
commit 8c47b70603
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Build-Security.md

@ -1,2 +1,4 @@
1. On execution of ``./gradlew build``, the gradle wrapper downloads the actually required gradle version. This download is protected by SHA-256 verification [integrated by us into Gradle Wrapper](https://github.com/gradle/gradle/pull/448) (see [gradle/wrapper/gradle-wrapper.properties](https://github.com/open-keychain/open-keychain/blob/master/gradle/wrapper/gradle-wrapper.properties)). 1. On execution of ``./gradlew build``, the gradle wrapper downloads the actually required gradle version. This download is protected by SHA-256 verification [integrated by us into Gradle Wrapper](https://github.com/gradle/gradle/pull/448) (see [gradle/wrapper/gradle-wrapper.properties](https://github.com/open-keychain/open-keychain/blob/master/gradle/wrapper/gradle-wrapper.properties)).
2. All dependencies are either included as git submodules or downloaded from JCenter. JCenter dependencies are verified using SHA-256 by [Gradle Witness](https://github.com/WhisperSystems/gradle-witness) (see [OpenKeychain/build.gradle](https://github.com/open-keychain/open-keychain/blob/master/OpenKeychain/build.gradle)). 2. All dependencies are either included as git submodules or downloaded from JCenter. JCenter dependencies are verified using SHA-256 by [Gradle Witness](https://github.com/WhisperSystems/gradle-witness) (see [OpenKeychain/build.gradle](https://github.com/open-keychain/open-keychain/blob/master/OpenKeychain/build.gradle)).
TODO?: buildscript dependency verification?