gradle dependency verification is too buggy with .pom metadata (!945) · Merge requests · F-Droid / Client

Hans-Christoph Steiner requested to merge eighthave/fdroidclient:disable-metadata-verification into master Oct 22, 2020

This disables the verification of .pom files. .pom files can add dependencies, so it would be good to have them verified. But since this current setup requires all JAR to be verified, any new dependencies would fail anyway: https://docs.gradle.org/current/userguide/dependency_verification.html#sec:disabling-metadata-verification

In some cases everything works fine, like on gitlab-ci, and in other places it always gives errors like this:

A problem occurred configuring root project 'client'.
> Dependency verification failed for configuration ':classpath'
  4 artifacts failed verification:
- all-1.2.0.pom (com.sun.activation:all:1.2.0) from repository MavenRepo
- jvnet-parent-1.pom (net.java:jvnet-parent:1) from repository MavenRepo
- oss-parent-7.pom (org.sonatype.oss:oss-parent:7) from repository MavenRepo
- oss-parent-9.pom (org.sonatype.oss:oss-parent:9) from repository MavenRepo
  This can indicate that a dependency has been compromised. Please carefully verify the checksums.

  Open this report for more details: file:///home/hans/code/fdroid/client/build/reports/dependency-verification/at-1603359642220/dependency-verification-report.html

@Glennmen and @eighthave both are getting that error.

gradle dependency verification is too buggy with .pom metadata

Merge request reports