jdev - 2022-08-22


  1. moparisthebest

    does anyone know of android apps built using jitpack.io ? better check your dependencies quickly, it looks easy to take them over and nextcloud news among others have already been attacked https://github.com/nextcloud/news-android/issues/1109#issuecomment-1222033175

  2. moparisthebest

    Conversations doesn't appear to use it, I didn't check anything else

  3. Sam

    oh fun, I have that installed. Guess I'll go take a look.

  4. moparisthebest

    this particular takeover just leaks your IP to some russian, it's assumed he was targetting the app of the biggest bank in ukraine which he was successful with :/

  5. moparisthebest

    but I mainly meant as a more "be careful where you pull your deps from, and avoid jitpack" general thing :D

  6. jonas’

    sooo.... jitpack.io does domain validation on java package names (i.e. you need to prove that you own foo.bar.baz to get baz.bar.foo.java built?) and some dependency doesn't own the namespace they used?

  7. jonas’

    sooo.... jitpack.io does domain validation on java package names (i.e. you need to prove that you own foo.bar.baz to get baz.bar.foo.java built?) and some dependency doesn't own the namespace they used anymore?

  8. moparisthebest

    jonas’, my impression is they didn't originally require domain registration but allow domain registration to override anything... :|

  9. jonas’

    https://github.com/nextcloud/news-android/issues/1109#issuecomment-1222269277

  10. moparisthebest

    maven central isn't jitpack though

  11. jonas’

    moparisthebest, do you have evidence to support your theory? because that comment there suggests that the cause could've been an expired domain (without corresponding revocation of packages)

  12. moparisthebest

    everything should be using maven central, it *does* do those kind of checks, and also enforces PGP signing

  13. moparisthebest

    looks like it might require it (now anyway) https://docs.jitpack.io/#custom-domain-name