Background
I noticed that Besu(Java-based Ethereum client) has enabled dependency verification by this PR: Enable dependency checksum verification. However, TRON doesn't seem to have this feature enabled yet, working with external dependencies and plugins published on third-party repositories puts the build at risk. I suggest that TRON enable dependency verification to mitigate the security risks and avoid integrating compromised dependencies in the project.
Rationale
Dependency verification uses a mechanism introduced in Gradle 6.2, and it has been promoted to a stable feature since Gradle 7.0. This feature can be used for:
- detecting compromised dependencies
- detecting compromised plugins
- detecting tampered dependencies in the local dependency caches
Implementation
Background
I noticed that Besu(Java-based Ethereum client) has enabled dependency verification by this PR: Enable dependency checksum verification. However, TRON doesn't seem to have this feature enabled yet, working with external dependencies and plugins published on third-party repositories puts the build at risk. I suggest that TRON enable dependency verification to mitigate the security risks and avoid integrating compromised dependencies in the project.
Rationale
Dependency verification uses a mechanism introduced in Gradle 6.2, and it has been promoted to a stable feature since Gradle 7.0. This feature can be used for:
Implementation