Kotlin Native download executables from the internet and executes them as part of its build process. I just saw these specific files being downloaded:
- https://download.jetbrains.com/kotlin/native/libffi-3.2.1-2-linux-x86-64.tar.gz
- https://download.jetbrains.com/kotlin/native/lldb-4-linux.tar.gz
- https://download.jetbrains.com/kotlin/native/llvm-11.1.0-linux-x64-essentials.tar.gz
- https://download.jetbrains.com/kotlin/native/x86_64-unknown-linux-gnu-gcc-8.3.0-glibc-2.19-kernel-4.9-2.tar.gz
It bypasses the Gradle verification methods. It is plain to see that none of those files are in gradle/verification-metadata.xml yet Gradle with verification enabled does not complain.
Anyone know if Kotlin Native does any of its own verification?