Is the Gradle witness plugin allowed?

Hey,

I would like to integrate GitHub - signalapp/gradle-witness: A gradle plugin that enables static verification for remote dependencies. in some apps. The plugin compairs hashsums of downloaded gradle depencies with a list in the gradle file. Because the plugin can be manipulated itself, it needs to be in the repo as jar file.
Are jar files allowed as depency in F-Droid?
Transportr also uses this plugin and I couldn’t see, that it’s removed for fdroid builds.

Gradle Witness does not verify plugins and this makes its use quite questionable.

JARs are prohibited by the inclusion policy, but fdroidserver won’t throw an error if you add one.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.