ppkarwasz commented on PR #427:
URL: https://github.com/apache/commons-codec/pull/427#issuecomment-4150761301
> Do you plan on computing a hash of a Maven install folder?
Yes, the installation folder is usually unmodified, so we can expect the
same value for each version.
> Does that mean anything without accounting for files in a user's home
`.m2` folder like `settings-security.xml`, `settings.xml`, and
`toolchains.xml`? What about the local `.m2/repository/` cache? Anything can be
in there in the sense that I can override existing JARs with local builds or
manual installs.
I have a proof-of-concept plugin that lists all dependencies in the
attestation, but that might be overkill, since we already have the same
information in the SBOM and we validate the SBOM by doing a reproducibility
check.
> Will the projects attestation say a project was built with a list of
plugins, those plugin hashes and all the hashes of their plugins and non-plugin
dependencies?
Good point! I have seen that the CycloneDX Gradle plugin puts all the
components that appear during the build in the SBOM. The CycloneDX Maven plugin
does not do it. So I am confused, whether the hashes for plugins should be in
the SBOM or attestation.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
