Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hardened Gradle builds with Gradle dependency verification and defined module restrictions on third-party maven repositories. #2174

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Hardened Gradle builds with Gradle dependency verification and defined module restrictions on third-party maven repositories. #2174

wants to merge 1 commit into from
+3,369 −11

Conversation

0-x-2-2
Copy link
Contributor

@0-x-2-2 0-x-2-2 commented Nov 21, 2023

This prevents anyone from replacing dependencies from under our feet for any purpose, either with malicious intent or by accident.

See the Gradle documentation for more information:
https://docs.gradle.org/current/userguide/dependency_verification.html

@0-x-2-2
Hardened Gradle builds with Gradle dependency verification and define…
f0d8439 
…d module restrictions on third-party maven repositories.

This prevents anyone from replacing dependencies from under our feet for any purpose, either with malicious intent or by accident.

See the Gradle documentation for more information:
https://docs.gradle.org/current/userguide/dependency_verification.html
0-x-2-2
0-x-2-2 commented Nov 25, 2023
View reviewed changes
build.gradle
modImplementation "net.fabricmc:fabric-loader:${project.loader_version}"
repositories {
// Log if any unknown repositories were added non-explicitly.
forEach { repo ->
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be removed if you don't like it.

0-x-2-2
0-x-2-2 commented Nov 25, 2023
View reviewed changes
build.gradle
minecraft "com.mojang:minecraft:${project.minecraft_version}"
mappings "net.fabricmc:yarn:${project.yarn_mappings}:v2"
modImplementation "net.fabricmc:fabric-loader:${project.loader_version}"
repositories {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This entire repositories block is not strictly required either but prevents downloading artifacts from the wrong place.

@0-x-2-2
Copy link
Contributor Author

0-x-2-2 commented Nov 25, 2023

I have left some comments on the repositories block as it is the only thing that is a tiny bit problematic.

@jellysquid3
Copy link
Member

Thanks for this pull request. We talked about it again earlier today, and I think it's a great improvement to the build pipeline. This will help prevent some kinds of build pipeline attacks, and certainly catch many subtle issues on the CI/CD.

I want to investigate merging this for the next major release, as changing it now in the Sodium 0.5.x branch would probably be disruptive to other projects and developers.

@jellysquid3 jellysquid3 self-assigned this Jan 10, 2024
@jellysquid3 jellysquid3 added this to the Sodium 0.6 milestone Jan 10, 2024
@jellysquid3
Copy link
Member

I also think we will likely need some documentation added to the repository (possibly CONTRIBUTING.md) explaining how this works, and how to update the pinned dependencies. As far as I can tell, we'd be one of the only Fabric mods doing this, so people aren't going to be familiar with it.

@jellysquid3 jellysquid3 modified the milestones: Sodium 0.6, Sodium 0.7 Jan 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jellysquid3 jellysquid3

Labels
None yet
Milestone
Sodium 0.7
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@0-x-2-2 @jellysquid3