This commit is contained in:
Frieder Bluemle 2020-01-22 16:44:11 -08:00
parent 6651bb31dd
commit c95c3c3f46
No known key found for this signature in database
GPG key ID: EEAAFC3A01B5FFC6
2 changed files with 3 additions and 4 deletions

3
.gitignore vendored
View file

@ -98,6 +98,5 @@ Thumbs.db
__tests__/runner/* __tests__/runner/*
lib/**/* lib/**/*
.idea .idea/
*.iml *.iml

View file

@ -15,7 +15,7 @@ Searching across GitHub you can find many pull requests (PRs) with helpful title
Many of these PRs are contributed by individuals outside of the organization maintaining the project. Many of these PRs are contributed by individuals outside of the organization maintaining the project.
Many maintainers are incredibly grateful for these kinds of contributions as it takes an item off of their backlog. Many maintainers are incredibly grateful for these kinds of contributions as it takes an item off of their backlog.
We assume that most maintainers do not consider the security implications of accepting the Gradle Wrapper binary from an external contributors. We assume that most maintainers do not consider the security implications of accepting the Gradle Wrapper binary from external contributors.
There is a certain amount of blind trust open source maintainers have. There is a certain amount of blind trust open source maintainers have.
Further compounding the issue is that maintainers are most often greeted in these PRs with a diff to the `gradle-wrapper.jar` that looks like this. Further compounding the issue is that maintainers are most often greeted in these PRs with a diff to the `gradle-wrapper.jar` that looks like this.