-
moparisthebest
does anyone know of android apps built using jitpack.io ? better check your dependencies quickly, it looks easy to take them over and nextcloud news among others have already been attacked https://github.com/nextcloud/news-android/issues/1109#issuecomment-1222033175
-
moparisthebest
Conversations doesn't appear to use it, I didn't check anything else
-
Sam
oh fun, I have that installed. Guess I'll go take a look.
-
moparisthebest
this particular takeover just leaks your IP to some russian, it's assumed he was targetting the app of the biggest bank in ukraine which he was successful with :/
-
moparisthebest
but I mainly meant as a more "be careful where you pull your deps from, and avoid jitpack" general thing :D
-
jonas’
sooo.... jitpack.io does domain validation on java package names (i.e. you need to prove that you own foo.bar.baz to get baz.bar.foo.java built?) and some dependency doesn't own the namespace they used?✎ -
jonas’
sooo.... jitpack.io does domain validation on java package names (i.e. you need to prove that you own foo.bar.baz to get baz.bar.foo.java built?) and some dependency doesn't own the namespace they used anymore? ✏
-
moparisthebest
jonas’, my impression is they didn't originally require domain registration but allow domain registration to override anything... :|
-
jonas’
https://github.com/nextcloud/news-android/issues/1109#issuecomment-1222269277
-
moparisthebest
maven central isn't jitpack though
-
jonas’
moparisthebest, do you have evidence to support your theory? because that comment there suggests that the cause could've been an expired domain (without corresponding revocation of packages)
-
moparisthebest
everything should be using maven central, it *does* do those kind of checks, and also enforces PGP signing
-
moparisthebest
looks like it might require it (now anyway) https://docs.jitpack.io/#custom-domain-name