support alternative hashes #6
Comments
|
Ok, so I've avoided this for quite some time. The current version
all of that is done in python to avoid having to deal with stuff like nixpkgs/issues/188016 |
|
I've now looked through the nix source, an the failing of a FOD seems to be of type BuildError, a subtype of Error, and so I should be able to tryEval it away, and loop over all potential hashes for a source |
|
still, a LOT of work to implement & to debug |
Yeah, I guessed so from my own tinkering with gradle-dot-nix. My Python-Fu sucks real bad anyhow, so I rather felt like opening an issue (at least for documentation). Working around by manually adjusting the verification-metadata.xml works for now at least. Thanks for looking into it and verifying the existence of the issue. 😸 |
|
Yeah, I get the issue, but I had hoped it wouldn't occur. Basically the TODOs boil down to:
|
|
You could, probably, maybe, hopefully try out the |
|
Hi, I just tried and it did not seem to work for me in my case. What I have in my dependency-verification.xml: <component group="com.fasterxml.jackson.module" name="jackson-modules-java8" version="2.17.2">
<artifact name="jackson-modules-java8-2.17.2.pom">
<sha256 value="fc0839cd9bbac2774ac8cf2aec51f4088a69369575e7a963f972cc07f4fcb8b3" origin="Generated by Gradle">
<also-trust value="3f39c55109f51a228817b4b185e4351b9ef0501c09fc1e1a3075ae9547cc2d03"/>
</sha256>
</artifact>
</component>And the error I get: Switching the two hashes around, does still resolve the issue. Maven Repos I use: [
"https://repo.maven.apache.org/maven2",
"https://plugins.gradle.org/m2",
"https://repo.spring.io/milestone"
] |
|
do you have some good (public) repo i could use for a bit of trial-and-error debugging ? |
|
Hi, I just updated my play-repo for this kinda setup. I used your current commit from the feature branch gradle/verification-metadata.xml <artifact name="jackson-modules-java8-2.17.2.pom">
<sha256 value="fc0839cd9bbac2774ac8cf2aec51f4088a69369575e7a963f972cc07f4fcb8b3" origin="Generated by Gradle">
<also-trust value="3f39c55109f51a228817b4b185e4351b9ef0501c09fc1e1a3075ae9547cc2d03"/>
<!--<sha256 value="3f39c55109f51a228817b4b185e4351b9ef0501c09fc1e1a3075ae9547cc2d03" origin="Generated by Gradle">-->
<!--<also-trust value="fc0839cd9bbac2774ac8cf2aec51f4088a69369575e7a963f972cc07f4fcb8b3"/>-->
</sha256>
</artifact>You can just comment in the lines, i commented out and comment out the other two in order to switch the hashes.
Thanks for your efforts! I'm very glad, there is some progress in nixification of the Java Ecosystem. |
|
alright, time to ditch the current approach: |
|
Hi, just had a chat at NixCon 2024 with @mschwaig and we seem to agree, that the necessity for the feature is actually present only, because private, authenticated repositories, aren't supported by gradle-dot-nix. If If you wanted to be very compliant to the gradle-API, it may be preferable, to »also« support the alternative hash feature, however from my perspective, it is just a very poor and (not really) cheap solution to the lack of authentication support. Having multiple valid hashes to the "same" binary dependency is also kinda wrong from a supply chain security perspective. Best regards |
Hi,
for a couple popular libraries there may be multiple trusted hashes. In the verification-metadata.xml it may look like that:
Right now, gradle-dot-nix ignores these
<also-trust>-tags. To make it work, one needs to put the hashes into the correct order (switch between<sha256>- and<also-trust>-value). Of course, it would be much more easier to be handled, when gradle-dot-nix would iterate over all possible hashes.Best regards
Dean
The text was updated successfully, but these errors were encountered: