Overview

Impact: Medium | Priority: P2 | Effort: Medium

The native library download tasks in multiple Kotlin Multiplatform modules use URL().openStream() without connection/read timeouts and lack checksum verification. This poses supply chain security risks and can cause builds to hang indefinitely on network issues.

Problem Statement

What's the issue?

The download logic in build.gradle.kts files for:

• runanywhere-core-jni
• runanywhere-core-llamacpp
• runanywhere-core-onnx

Uses URL(downloadUrl).openStream() which:

1. Has no connection or read timeout - builds can hang indefinitely on network issues
2. Lacks checksum verification - downloaded binaries are not validated, creating supply chain security risk

Why does it matter?

• Build reliability: Network issues can cause CI/CD pipelines to hang indefinitely
• Security: Without checksum verification, compromised binaries could be downloaded without detection
• Maintainability: The same download logic is duplicated across three modules

Current State

Affected files:

• sdk/runanywhere-kotlin/modules/runanywhere-core-jni/build.gradle.kts (lines 212-229)
• sdk/runanywhere-kotlin/modules/runanywhere-core-llamacpp/build.gradle.kts (lines 218-235)
• sdk/runanywhere-kotlin/modules/runanywhere-core-onnx/build.gradle.kts (similar pattern)

Current code pattern:

URL(downloadUrl).openStream().use { input ->
    zipFile.outputStream().use { output ->
        input.copyTo(output)
    }
}

Proposed Solution

1. Add connection and read timeouts

val connection = URL(downloadUrl).openConnection() as HttpURLConnection
connection.connectTimeout = 30_000  // 30 seconds
connection.readTimeout = 120_000    // 2 minutes for large files
connection.inputStream.use { input ->
    // ...
}

2. Add SHA256 checksum verification

• Download .sha256 checksum files alongside binaries
• Verify downloaded file against expected checksum before extraction
• Fail build if checksum doesn't match

3. Extract to shared Gradle convention plugin

Create a shared build logic module to avoid duplication:

sdk/runanywhere-kotlin/build-logic/
├── build.gradle.kts
└── src/main/kotlin/
    └── NativeLibraryDownloadPlugin.kt

Implementation Plan

• Create build-logic module with shared download utilities
• Implement HttpURLConnection with timeouts
• Add SHA256 checksum verification
• Update runanywhere-core-jni to use shared plugin
• Update runanywhere-core-llamacpp to use shared plugin
• Update runanywhere-core-onnx to use shared plugin
• Update GitHub release workflow to generate .sha256 files

Success Criteria

• All download tasks have 30s connect timeout and 2min read timeout
• All downloaded binaries are verified against SHA256 checksums
• Download logic is consolidated in a single shared module
• CI builds fail gracefully on network timeout instead of hanging

Related

• Source: PR [iOS-SDK] [kotlin-SDK] Runanywhere-core consumption in Android and iOS #206 review comment by coderabbitai[bot]
• [iOS-SDK] [kotlin-SDK] Runanywhere-core consumption in Android and iOS #206 (comment)