GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Unverified Commit c9dc3e2d authored by Matthew Finkel's avatar Matthew Finkel
Browse files

Bug 40163: Avoid checking hash of .pom files

A pom file of hosted third-party dependencies may be modified at any
time after publication. These files contain metadata about a version of
a repository. We avoid computing and verifying the hash of downloaded
.pom files that are listed in a project's gradle-dependencies-list.txt
because they change unpredictably. This should be safe while the .pom
file is not modified in such a way that it is rejected by gradle and
while we still check the hash of non-.pom files.
parent bd5b25f2
......@@ -10,7 +10,11 @@ m2dir="$(mktemp -d)"
artifact_filename=$(basename "$artifact_path")
artifact_dirname=$(dirname "$artifact_path")
[% GET c("urlget", { filename => 'downloaded_file', URL => artifact.url}); %]
echo "[% artifact.sha256sum %] downloaded_file" | sha256sum -c
# .pom files may be modified after a version is published, therefore verify
# the hash only if the file name does not end with '.pom'.
if ! echo "$artifact_filename" | grep -q '\.pom$'; then
echo "[% artifact.sha256sum %] downloaded_file" | sha256sum -c
fi
mkdir -p "$m2dir/$artifact_dirname"
mv -f downloaded_file "$m2dir/$artifact_dirname/$artifact_filename"
[% END -%]
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment