zec
/
secant-android-wallet
mirror of https://github.com/zcash/secant-android-wallet.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Apply suggestions from code review 

Co-authored-by: Francisco Gindre <francisco@z.cash>
This commit is contained in:
Carter Jernigan 2021-12-13 16:04:16 -05:00 committed by GitHub
parent dd5390d837
commit 22fe9fbfc7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/Build integrity.md
View File

@ -1,12 +1,12 @@
# Build Integrity
Multiple tools can be put in place to enhance build integrity and reduce the risk of supply chain issues. These tools include:
* Policy — We try to minimize third party dependencies, especially when they are not provided by Google and JetBrains. We also try to minimize the number of Gradle plugins.
* Checklists — Our [pull request checklist](../.github/pull_request_template.md) specifies only running code from contributors after reviewing the changes first. Our [dependency update checklist](../.github/ISSUE_TEMPLATE/dependency.md) specifies verifying lock file changes during dependency updates.
Multiple tools can be put in place to enhance build integrity and reduce the risk of supply chain issues. These tools include:
* Policy — We try to minimize third party dependencies, especially when they are not provided by Google and JetBrains. We also try to minimize the number of Gradle plugins.
* Checklists — Our [pull request checklist](../.github/pull_request_template.md) specifies only running code from contributors after reviewing the changes first. Our [dependency update checklist](../.github/ISSUE_TEMPLATE/dependency.md) specifies verifying lock file changes during dependency updates.
* Fixed dependency versions — For our dependency declarations, we use exact dependency versions in gradle.properties instead of version ranges.
* Dependency locking
* Gradle buildscript (e.g. plugins) dependencies are locked
* Kotlin Multiplatform modules have dependency locking enabled
* Android modules do not have dependency locking for transitive dependencies enabled. [Issue #55](https://github.com/zcash/secant-android-wallet/issues/55) tracks this feature request.
* Android modules do not have dependency locking for transitive dependencies enabled. [Issue #55](https://github.com/zcash/secant-android-wallet/issues/55) tracks this feature request.
* Dependency hash or signature verification
* Gradle — The SHA256 for Gradle is stored in [gradle/wrapper/gradle-wrapper.properties](../gradle/wrapper/gradle-wrapper.properties) which is verified when Gradle is downloaded for the first time
* Gradle Wrapper — The SHA256 for the Gradle Wrapper is verified on the continuous integration server