[
https://issues.apache.org/jira/browse/SOLR-17657?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Christos Malliaridis updated SOLR-17657:
----------------------------------------
Description:
Dependency verification is an important step that is used when we want to
verify the integrity of third-party libraries. Right now, we have custom gradle
tasks for generating and verifying the gradle checksums.
These custom gradle tasks seem to be limited in their dependency resolution and
do not check dependencies from plugins, buildSrc or integrated builds.
Gradle comes with dependency verification options that also support signature
checks, whereever available. It is also capable of taking plugins and
configurations from buildSrc and integrated builds into account. See [Gradle
dependency
verification|https://docs.gradle.org/current/userguide/dependency_verification.html]
for more information.
h2. Task
Evaluate the output and the capabilities available of the Gradle-native
features from the above link and update the gradle tasks and development flows
if they are preferred.
You can use the gradle task
{{.\gradlew \-\-write-verification-metadata sha256 help}}
for generating your first output at {{gradle/verification-metadata.xml}}.
h2. Acceptance Criteria
- The GitHub workflows continue verifying checksums and optionally signatures
If updated to the Gradle-native tasks:
- The steps in our developer guide are updated accordingly
- redundant custom gradle tasks related to the checksum generation and
verification are removed
- Checksum files from {{solr/licenses}} are removed
If not upated to Gradle-native tasks:
- The existing tasks are updated so that checksums from the new UI module
(Kotlin multiplatform module) are also generated
h2. Additional Information
The new UI module introduced in #2605 is a Kotlin multiplatform module, which
does not use the JavaPlugin that is used for resolving jar information (see
jarValidation task). This means that it is not covered by our custom tasks.
We should try to address this issue before Solr 10 is released, because we have
already changed a lot of things related to dependency management.
was:
Dependency verification is an important step that is used when we want to
verify the integrity of third-party libraries. Right now, we have custom gradle
tasks for generating and verifying the gradle checksums.
These custom gradle tasks seem to be limited in their dependency resolution and
do not check dependencies from plugins, buildSrc or integrated builds.
Gradle comes with dependency verification options that also support signature
checks, whereever available. It is also capable of taking plugins and
configurations from buildSrc and integrated builds into account. See [Gradle
dependency
verification|https://docs.gradle.org/current/userguide/dependency_verification.html]
for more information.
h2. Task
Evaluate the output and the capabilities available of the Gradle-native
features from the above link and update the gradle tasks and development flows
if they are preferred.
You can use the gradle task
{{.\gradlew \-\-write-verification-metadata sha256 help}}
for generating your first output at {{gradle/verification-metadata.xml}}.
h2. Acceptance Criteria
- The GitHub workflows continue verifying checksums and optionally signatures
If updated to the Gradle-native tasks:
- The steps in our developer guide are updated accordingly
- redundant custom gradle tasks related to the checksum generation and
verification are removed
- Checksum files from {{solr/licenses}} are removed
h2. Additional Information
The new UI module introduced in #2605 is a Kotlin multiplatform module, which
does not use the JavaPlugin that is used for resolving jar information (see
jarValidation task). This means that it is not covered by our custom tasks.
We should try to address this issue before Solr 10 is released, because we have
already changed a lot of things related to dependency management.
> Evaluate and Update checksum and signature verification
> -------------------------------------------------------
>
> Key: SOLR-17657
> URL: https://issues.apache.org/jira/browse/SOLR-17657
> Project: Solr
> Issue Type: Improvement
> Components: Gradle
> Reporter: Christos Malliaridis
> Priority: Major
> Labels: checksum, gradle, integrity, verification
>
> Dependency verification is an important step that is used when we want to
> verify the integrity of third-party libraries. Right now, we have custom
> gradle tasks for generating and verifying the gradle checksums.
> These custom gradle tasks seem to be limited in their dependency resolution
> and do not check dependencies from plugins, buildSrc or integrated builds.
> Gradle comes with dependency verification options that also support signature
> checks, whereever available. It is also capable of taking plugins and
> configurations from buildSrc and integrated builds into account. See [Gradle
> dependency
> verification|https://docs.gradle.org/current/userguide/dependency_verification.html]
> for more information.
> h2. Task
> Evaluate the output and the capabilities available of the Gradle-native
> features from the above link and update the gradle tasks and development
> flows if they are preferred.
> You can use the gradle task
> {{.\gradlew \-\-write-verification-metadata sha256 help}}
> for generating your first output at {{gradle/verification-metadata.xml}}.
> h2. Acceptance Criteria
> - The GitHub workflows continue verifying checksums and optionally signatures
> If updated to the Gradle-native tasks:
> - The steps in our developer guide are updated accordingly
> - redundant custom gradle tasks related to the checksum generation and
> verification are removed
> - Checksum files from {{solr/licenses}} are removed
> If not upated to Gradle-native tasks:
> - The existing tasks are updated so that checksums from the new UI module
> (Kotlin multiplatform module) are also generated
> h2. Additional Information
> The new UI module introduced in #2605 is a Kotlin multiplatform module, which
> does not use the JavaPlugin that is used for resolving jar information (see
> jarValidation task). This means that it is not covered by our custom tasks.
> We should try to address this issue before Solr 10 is released, because we
> have already changed a lot of things related to dependency management.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
