MINOR: new checksum verification in gradlew #20658
Conversation
github-actions
bot
added
triage
|
Th PR description is not correct. We don't want to revert whole changes. Als, please reference to the conversation |
Done |
|
@joshua2519 I have another idea that we could check the |
joshua2519
changed the title
joshua2519
changed the title
@chia7712 |
wrapper.gradle
Outdated
|
|
||
| def bootstrapString = """ | ||
| # Loop in case we encounter an error. | ||
| REQUIRED_WRAPPER_JAR_CHECKSUM=\$(curl -sSL "$wrapperJarChecksumUrl") |
There was a problem hiding this comment.
Could you please hardcode the sha?
There was a problem hiding this comment.
Thanks for that. Considering that Gradle version updates are infrequent, hardcoding the SHA is a much more efficient method than retrieving the checksum every time. I've included a code comment to ensure the checksum is also updated whenever we perform a Gradle version upgrade.
wrapper.gradle
Outdated
| continue | ||
| fi | ||
| else | ||
| # Verify checksum of existing wrapper JAR. |
There was a problem hiding this comment.
Please add comments explaining the reason for adding this mechanism
| sleep 5 | ||
| continue | ||
| fi | ||
| else |
There was a problem hiding this comment.
This branch causes the unnecessary loops, right?
There was a problem hiding this comment.
Yes
Could it be better to add a condition to break the loop?
| if [ "\$LOCAL_WRAPPER_JAR_CHECKSUM" != "\$REQUIRED_WRAPPER_JAR_CHECKSUM" ] ; then | ||
| rm -f "$wrapperJarPath" | ||
| else | ||
| break |
There was a problem hiding this comment.
@chia7712
The loop will break once the JAR file exists and the checksum matches.
There was a problem hiding this comment.
What happens if users' local machine can't use either sha256sum or shasum?
There was a problem hiding this comment.
@chia7712
Thank you for pointing that out.
If no checksum tool is found, exit with an error.
gradlew
Outdated
| LOCAL_WRAPPER_JAR_CHECKSUM=$(shasum -a 256 "$APP_HOME/gradle/wrapper/gradle-wrapper.jar" | awk '{print $1}') | ||
| else | ||
| # If no checksum tool is found, exit with an error. | ||
| die "ERROR: Cannot find sha256sum or shasum to verify wrapper JAR. Please install one of these tools." |
There was a problem hiding this comment.
Could we just skip the sha check if there is no available tool?
wrapper.gradle
Outdated
| elif command -v shasum >/dev/null 2>&1; then | ||
| LOCAL_WRAPPER_JAR_CHECKSUM=\$(shasum -a 256 "$wrapperJarPath" | awk '{print \$1}') | ||
| else | ||
| # If no checksum tool is found, exit with an error. |
There was a problem hiding this comment.
If no checksum tool is found, exit with an error. this comment is out-of-date, right?
There was a problem hiding this comment.
Thanks for catching this. I have fixed it.
|
I have completed the following tests locally:
|
| def wrapperBaseUrl = "https://raw.githubusercontent.com/gradle/gradle/v$versions.gradle/gradle/wrapper" | ||
| def wrapperJarUrl = wrapperBaseUrl + "/gradle-wrapper.jar" | ||
| // IMPORTANT: This checksum **must** be updated whenever the Gradle version changes. | ||
| String wrapperChecksum = "76805e32c009c0cf0dd5d206bddc9fb22ea42e84db904b764f3047de095493f3" |
There was a problem hiding this comment.
Could you please merge wrapperBaseUrl with wrapperJarUrl and then move wrapperChecksum up to line#41? Doing so would remind future developers to update both variables
According to the [discussion](apache#19513 (comment)) in apache#19513 , add a new checksum verification process to determine whether a new wrapper JAR needs to be downloaded. This prevents developers from running into incompatibility issues when using an outdated wrapper JAR after a Gradle upgrade. Reviewers: Chia-Ping Tsai <[email protected]>
2 participants
According to the
discussion
in #19513 , add a new checksum verification process to determine whether
a new wrapper JAR needs to be downloaded.
This prevents developers from running into incompatibility issues when
using an outdated wrapper JAR after a Gradle upgrade.
Reviewers: Chia-Ping Tsai [email protected]