checksum-dependency-plugin is a superset of gradle-witness, and it enables to increase the level of security.

See https://github.com/vlsi/vlsi-release-plugins#checksum-dependency-plugin See https://medium.com/@vladimirsitniko/dependency-verification-checksum-vs-pgp-582e76207019?sk=7485298b76eaf9f935b899b002f4c3b5

See https://github.com/spring-projects/spring-framework/issues/23434

Comment From: vlsi

Hi, I see the PR has not been reviewed much yet :)

You might be interested that Gradle 6.2 introduces in-core dependency verification

The documentation can be reviewed here: https://github.com/gradle/gradle/pull/11755

From what I know Gradle would cover more cases when compared with checksum-dependency-plugin. For instance, it will be able to verify pom.xml which are implicitly fetched by Gradle when resolving transitive dependencies and probably other cases.

Some bits can be previewed in the current release candidates, release nightly builds and master nightly builds (see https://gradle.org/releases/ )

It would be nice if you could preview the feature and provide your feedback.

Comment From: bclozel

Spring Framework has many optional dependencies and maintaining a verification-metadata.xml file that's over 330K big is not really manageable. In the meantime we've seen that sigstore (and it seems you're contributing there) is trying a different approach.

We're generally interested in this theme but we don't think the current approach will fit our project. We'll keep an eye on alternate solutions. Thanks!

Comment From: vlsi

@bclozel , sigstore won't be much different by the way.

In a nutshell: * PGP: "we maintain a list of PGP keys and checksums we trust. The PGP key id for each dependency is taken from the official website" * Sigstore: "we trust logback if the artifact was built with GitHub Action release.yaml running in github.com/qos-ch/logback repository"

In both cases, the amount of metadata is pretty much the same, and the main difference would be that "PGP key ids are unreadable" while "GitHub Action release.yaml running in github.com/qos-ch/logback repository" would be pretty-much understandable by humans.