7ce1ca87e9
Address two follow-ups from the Tor (arti) MR review. Supply-chain hardening for the arti-mobile AAR, a native artifact with network-proxy privileges: - Pin the gpmaven Maven source to an immutable commit SHA (guardianproject/gpmaven@b3ee2a6) instead of the mutable `master` branch, so a force-push or new commit can't silently change what we resolve. - Verify the resolved AAR's SHA-256 at build time (verifyArtiChecksum, wired ahead of assemble/bundle). A mismatch fails the build before any APK is produced. Scoped to the one privileged artifact rather than enabling global dependency verification, which would force-verify every transitive dep. Reconcile stale "apply on relaunch" / "next app launch" doc comments in AppContext.ts, tor.ts, useTor.ts, TorController.java, and TorPlugin.java with the actual behavior: the Advanced Settings toggle activates Tor live via start/stop (arti starts/stops immediately, relay layer remounts); the persisted flag only governs cold-launch auto-start.
42 lines
1.4 KiB
Groovy
42 lines
1.4 KiB
Groovy
// Top-level build file where you can add configuration options common to all sub-projects/modules.
|
|
|
|
buildscript {
|
|
|
|
repositories {
|
|
google()
|
|
mavenCentral()
|
|
}
|
|
dependencies {
|
|
classpath 'com.android.tools.build:gradle:8.13.0'
|
|
classpath 'com.google.gms:google-services:4.4.4'
|
|
|
|
// NOTE: Do not place your application dependencies here; they belong
|
|
// in the individual module build.gradle files
|
|
}
|
|
}
|
|
|
|
apply from: "variables.gradle"
|
|
|
|
allprojects {
|
|
repositories {
|
|
google()
|
|
mavenCentral()
|
|
// Guardian Project's experimental Maven repo, hosting the prebuilt
|
|
// org.torproject:arti-mobile AAR (Tor in Rust) used for the optional Tor mode.
|
|
//
|
|
// Pinned to an immutable commit SHA rather than the mutable `master`
|
|
// branch: this artifact ships a native library with network-proxy
|
|
// privileges, so we don't want a force-push or new commit to gpmaven
|
|
// silently changing what we resolve. To bump arti, update both the
|
|
// commit below and the checksum pin in `app/build.gradle`, and re-verify
|
|
// the SHA-256 against a fresh download.
|
|
//
|
|
// Commit: guardianproject/gpmaven@b3ee2a63eec4ce37ea22fcc6b1ff009f406f2b13
|
|
maven { url "https://raw.githubusercontent.com/guardianproject/gpmaven/b3ee2a63eec4ce37ea22fcc6b1ff009f406f2b13" }
|
|
}
|
|
}
|
|
|
|
task clean(type: Delete) {
|
|
delete rootProject.buildDir
|
|
}
|