From 464014684256adaeda5d14bac71a33b8f52d273f Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Thu, 22 Oct 2020 11:48:37 +0200 Subject: [PATCH] gradle dependency verification is too buggy with .pom metadata This disables the verification of .pom files. .pom files can add dependencies, so it would be good to have them verified. But since this current setup requires all JAR to be verified, any new dependencies would fail anyway: https://docs.gradle.org/current/userguide/dependency_verification.html#sec:disabling-metadata-verification In some cases everything works fine, like on gitlab-ci, and in other places it always gives errors like this: ``` A problem occurred configuring root project 'client'. > Dependency verification failed for configuration ':classpath' 4 artifacts failed verification: - all-1.2.0.pom (com.sun.activation:all:1.2.0) from repository MavenRepo - jvnet-parent-1.pom (net.java:jvnet-parent:1) from repository MavenRepo - oss-parent-7.pom (org.sonatype.oss:oss-parent:7) from repository MavenRepo - oss-parent-9.pom (org.sonatype.oss:oss-parent:9) from repository MavenRepo This can indicate that a dependency has been compromised. Please carefully verify the checksums. Open this report for more details: file:///home/hans/code/fdroid/client/build/reports/dependency-verification/at-1603359642220/dependency-verification-report.html ``` @glennmen and @eighthave both are getting that error. --- gradle/verification-metadata.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml index 0c6f752b7..fddac78f6 100644 --- a/gradle/verification-metadata.xml +++ b/gradle/verification-metadata.xml @@ -1,7 +1,7 @@ - true + false true