Bug 40163: Avoid checking hash of .pom files (!142) · Merge requests · The Tor Project / Applications / tor-browser-build

Matthew Finkel requested to merge sysrqb/tor-browser-build:bug_40163_00 into master Dec 03, 2020

A pom file of hosted third-party dependencies may be modified at any
time after publication. These files contain metadata about a version of
a repository. We avoid computing and verifying the hash of downloaded
.pom files that are listed in a project's gradle-dependencies-list.txt
because they change unpredictably. This should be safe while the .pom
file is not modified in such a way that it is rejected by gradle and
while we still check the hash of non-.pom files.

Bug 40163: Avoid checking hash of .pom files

Merge request reports