breautek commented on PR #1678: URL: https://github.com/apache/cordova-android/pull/1678#issuecomment-2104560822
FYI, was talking with Erisu last night and we came up with a plan to remove the JAR and thus avoid the security concerns about the integrity (e.g. xz backdoor style attacks) of the JAR file by introducing an empty gradle project, which effectively will serve as the old `wrapper.gradle` that we had. Running system gradle against the actual project will result in loading up the AGP plugin and thus requiring the end-user to have a system gradle version that satisfies AGP gradle requirements. Previously with the (now deprecated/pending removal of `-b` flag) wrapper.gradle file, it was used to install the wrapper without loading the AGP plugin, virtually allowing the user to be able to use any gradle version to install the wrapper. With the removal of the `-b` flag gradle is enforcing a consistent project structure. So the plan is to introduce a secondary gradle project that is just empty and serves the purpose of installing gradle wrapper, which should be usable by the cordova build. If time permits, I'm planning on making these changes later today. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
