Skip to content

Hardened Gradle builds with Gradle dependency verification and defined module restrictions on third-party maven repositories.#2174

Open
0-x-2-2 wants to merge 1 commit intoCaffeineMC:devfrom
0-x-2-2:dev
Open

Hardened Gradle builds with Gradle dependency verification and defined module restrictions on third-party maven repositories.#2174
0-x-2-2 wants to merge 1 commit intoCaffeineMC:devfrom
0-x-2-2:dev

Conversation

@0-x-2-2
Copy link
Contributor

@0-x-2-2 0-x-2-2 commented Nov 21, 2023

This prevents anyone from replacing dependencies from under our feet for any purpose, either with malicious intent or by accident.

See the Gradle documentation for more information:
https://docs.gradle.org/current/userguide/dependency_verification.html

@0-x-2-2
Hardened Gradle builds with Gradle dependency verification and define…
f0d8439 
…d module restrictions on third-party maven repositories.

This prevents anyone from replacing dependencies from under our feet for any purpose, either with malicious intent or by accident.

See the Gradle documentation for more information:
https://docs.gradle.org/current/userguide/dependency_verification.html
0-x-2-2
0-x-2-2 commented Nov 25, 2023
View reviewed changes
build.gradle
modImplementation "net.fabricmc:fabric-loader:${project.loader_version}"
repositories {
// Log if any unknown repositories were added non-explicitly.
forEach { repo ->
Copy link
Contributor Author

@0-x-2-2 0-x-2-2 Nov 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be removed if you don't like it.

0-x-2-2
0-x-2-2 commented Nov 25, 2023
View reviewed changes
build.gradle
minecraft "com.mojang:minecraft:${project.minecraft_version}"
mappings "net.fabricmc:yarn:${project.yarn_mappings}:v2"
modImplementation "net.fabricmc:fabric-loader:${project.loader_version}"
repositories {
Copy link
Contributor Author

@0-x-2-2 0-x-2-2 Nov 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This entire repositories block is not strictly required either but prevents downloading artifacts from the wrong place.

@0-x-2-2
Copy link
Contributor Author

0-x-2-2 commented Nov 25, 2023

I have left some comments on the repositories block as it is the only thing that is a tiny bit problematic.

@jellysquid3
Copy link
Member

jellysquid3 commented Jan 10, 2024

Thanks for this pull request. We talked about it again earlier today, and I think it's a great improvement to the build pipeline. This will help prevent some kinds of build pipeline attacks, and certainly catch many subtle issues on the CI/CD.

I want to investigate merging this for the next major release, as changing it now in the Sodium 0.5.x branch would probably be disruptive to other projects and developers.

@jellysquid3 jellysquid3 self-assigned this Jan 10, 2024
@jellysquid3 jellysquid3 added this to the Sodium 0.6 milestone Jan 10, 2024
@jellysquid3
Copy link
Member

jellysquid3 commented Jan 10, 2024

I also think we will likely need some documentation added to the repository (possibly CONTRIBUTING.md) explaining how this works, and how to update the pinned dependencies. As far as I can tell, we'd be one of the only Fabric mods doing this, so people aren't going to be familiar with it.

@jellysquid3 jellysquid3 modified the milestones: Sodium 0.6, Sodium 0.7 Jan 28, 2024
@douira douira removed this from the Sodium 0.7 milestone May 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jellysquid3 jellysquid3

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@0-x-2-2 @jellysquid3 @douira