Implement a standard repository configuration across Android projects
Categories
(Firefox for Android :: General, task)
Tracking
()
People
(Reporter: csadilek, Unassigned)
Details
From github: https://github.com/mozilla-mobile/android-components/issues/3757.
Gradle introduced their dependency -> repository matching feature that can improve the security of our apps (see quoted text below) and performance of Gradle configuration. There are problems with expecting each team to implement & maintain this individually:
- They may implement it incorrectly
- They need to keep it up-to-date if the requirements change
- It takes time for each team to implement it
Ideally, we could share a solution across all of our projects so we only have to keep it up-to-date in one spot: we could leverage our gradle plugin to do so.
Copied from https://groups.google.com/a/mozilla.com/d/msg/mobile-all/CJinm9Tg4E0/veP0RiWvBwAJ:
You can improve the security of fetching your dependencies by using a feature Gradle released to match dependencies to specific repositories. In practice, the minimum security implementation looks something like:
maven { url "https://maven.mozilla.org/maven2" } google() jcenter { content { excludeGroupByRegex "mozilla.components... excludeGroupByRegix "com.google... } }which will prevent us from accidentally downloading malicious dependencies from jcenter that are, e.g.:
- newer versions of our dependencies
- commonly typo'd versions of our dependencies
Here's a PR for a complete implementation on FFTV that we've been using for over a month: note that it also uses this feature to decrease Gradle configuration time. I think most consumer apps should be able to copy it verbatim.
N.B.: this API is considering Incubating in Gradle and is subject to breaking changes.
┆Issue is synchronized with this Jira Task
Change performed by the Move to Bugzilla add-on.
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Description
•