You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Feb 21, 2025. It is now read-only.
This goes in the same direction as #96; was also suggested in #57 (comment)
What do you think about hardcoding the list of all known Gradle wrapper checksums into this action? Then during validation, the action first checks if the checksum is in that hardcoded list, or is specified in allow-checksums. And only if both checks fail it sends network requests to fetch the checksums.
This would hopefully have the following advantages:
Action is more efficient and reduces network traffic for Gradle site
Fewer spurious action failures due to network issues
It would not be an issue if the hardcoded list of checksums becomes outdated (possibly by months or even years); it probably still provides an advantage for the majority of the users, assuming they use older wrapper versions.
Alternative
Tell users to use the allow-checksums input. However, that risks reducing security because it might then become a usual action to update the allow-checksums input when updating the wrapper, and maintainers might then not properly verify that the allow-checksums is actually one of the officially listed ones. This allows a malicious user to simply specify the checksum of their malicious wrapper, and claim it is the official checksum, hoping the maintainer does not verify it.
This goes in the same direction as #96; was also suggested in #57 (comment)
What do you think about hardcoding the list of all known Gradle wrapper checksums into this action? Then during validation, the action first checks if the checksum is in that hardcoded list, or is specified in
allow-checksums. And only if both checks fail it sends network requests to fetch the checksums.This would hopefully have the following advantages:
It would not be an issue if the hardcoded list of checksums becomes outdated (possibly by months or even years); it probably still provides an advantage for the majority of the users, assuming they use older wrapper versions.
Alternative
Tell users to use the
allow-checksumsinput. However, that risks reducing security because it might then become a usual action to update theallow-checksumsinput when updating the wrapper, and maintainers might then not properly verify that theallow-checksumsis actually one of the officially listed ones. This allows a malicious user to simply specify the checksum of their malicious wrapper, and claim it is the official checksum, hoping the maintainer does not verify it.