Skip to content

Bug 40163: Avoid checking hash of .pom files

Matthew Finkel requested to merge sysrqb/tor-browser-build:bug_40163_00 into master

Closes #40163 (closed)

A pom file of hosted third-party dependencies may be modified at any
time after publication. These files contain metadata about a version of
a repository. We avoid computing and verifying the hash of downloaded
.pom files that are listed in a project's gradle-dependencies-list.txt
because they change unpredictably. This should be safe while the .pom
file is not modified in such a way that it is rejected by gradle and
while we still check the hash of non-.pom files.

Merge request reports