GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still and

Unverified Commit c9dc3e2d authored by Matthew Finkel's avatar Matthew Finkel
Browse files

Bug 40163: Avoid checking hash of .pom files

A pom file of hosted third-party dependencies may be modified at any
time after publication. These files contain metadata about a version of
a repository. We avoid computing and verifying the hash of downloaded
.pom files that are listed in a project's gradle-dependencies-list.txt
because they change unpredictably. This should be safe while the .pom
file is not modified in such a way that it is rejected by gradle and
while we still check the hash of non-.pom files.
parent bd5b25f2
......@@ -10,7 +10,11 @@ m2dir="$(mktemp -d)"
artifact_filename=$(basename "$artifact_path")
artifact_dirname=$(dirname "$artifact_path")
[% GET c("urlget", { filename => 'downloaded_file', URL => artifact.url}); %]
echo "[% artifact.sha256sum %] downloaded_file" | sha256sum -c
# .pom files may be modified after a version is published, therefore verify
# the hash only if the file name does not end with '.pom'.
if ! echo "$artifact_filename" | grep -q '\.pom$'; then
echo "[% artifact.sha256sum %] downloaded_file" | sha256sum -c
mkdir -p "$m2dir/$artifact_dirname"
mv -f downloaded_file "$m2dir/$artifact_dirname/$artifact_filename"
[% END -%]
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment