-
-
Notifications
You must be signed in to change notification settings - Fork 384
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Internet usage #47
Comments
Found the culprit, someone is rehosting the library in a modified form here: https://bintray.com/jakewhaarton/timber/com.github.adrielcafe%3AtimAndroidAudioRecorderber |
So we are not getting the code from Jitpack? |
You can grab this library just fine, you just have to make sure you pull it from Jitpack instead of the fake version from jcenter. You can do this by listing Jitpack first (but at least before jcenter) among your repositories: repositories {
maven { url "https://jitpack.io" }
jcenter()
} |
Just following this up, this whole incident is now captured in this awesome blog writeup by @zsmb13. Nice work! https://blog.autsoft.hu/a-confusing-dependency/ Scary to see that these sorts of supply chain attacks are actually a reality. |
@zsmb13 Just putting any repository first still leaves it possible repositories {
maven { url "https://jitpack.io" } // for https://github.com/adrielcafe/AndroidAudioRecorder
jcenter()
} Now it is finally possible with Gradle to specify what exactly to get from a repository: repositories {
mavenCentral{
content {
excludeGroup "com.github.adrielcafe"
}
}
maven { url "https://jitpack.io"
// for https://github.com/adrielcafe/AndroidAudioRecorder
content { includeGroup "com.github.adrielcafe" }
}
} So if we are to get dependency from one specific repository, we should not try from any other. I cannot find exact Gradle DSL for Gradle DSL valuable finding is that |
File list from https://status.bintray.com/incidents/w4dfr0rpznkt (referenced from https://autsoft.net/hu/a-confusing-dependency/ ) So any one pulling these dependencies/versions between July 2017 and December 2018 has used/shipped hacked dependency with malicious code:
|
@paulvi I believe that that is indeed an accurate read of the situation. |
This is the code of the
AndroidAudioRecorder
constructor in the code on GitHub:However, this is the code of the same constructor in the published
.aar
as well as the published sources.jar
file.Please explain this difference.
The text was updated successfully, but these errors were encountered: