RFR: 8264010: Add Gradle dependency verification [v2]
Kevin Rushforth
kcr at openjdk.java.net
Mon Apr 12 22:11:58 UTC 2021
On Wed, 24 Mar 2021 19:45:55 GMT, John Neffenger <jgneff at openjdk.org> wrote:
>> This pull request adds dependency verification to the Gradle builds of JavaFX on Linux, macOS, and Windows. It is the third of three changes that close the gaps in the JavaFX build security:
>>
>> * [JDK-8262236][1]: Configure Gradle checksum verification
>> * [JDK-8263204][2]: Add Gradle Wrapper Validation Action
>> * [JDK-8264010][3]: Add Gradle dependency verification
>>
>> "Without dependency verification it's easy for an attacker to compromise your supply chain," warns the [Gradle User Guide][4]. All three changes come from conference talks by members of the Gradle team, available as [PDF slides][5] or on YouTube in the following two videos:
>>
>> * [Cédric Champeau at Devoxx][6] in November 2019
>> * [Louis Jacomet at Jfokus][7] in February 2020
>>
>> "We all run in a crazy-unsafe environment, in a way," says Louis Jacomet at the end of his talk. These three changes make it just a little less crazy-unsafe for all of us building JavaFX, regardless of our system, network, or country.
>>
>> [1]: https://bugs.openjdk.java.net/browse/JDK-8262236
>> [2]: https://bugs.openjdk.java.net/browse/JDK-8263204
>> [3]: https://bugs.openjdk.java.net/browse/JDK-8264010
>>
>> [4]: https://docs.gradle.org/current/userguide/dependency_verification.html
>> [5]: https://www.jfokus.se/jfokus20-preso/Protecting-your-organization-against-attacks-via-the-build-system.pdf
>> [6]: https://youtu.be/GWGNp3a3hpk
>> [7]: https://youtu.be/bwiafNatsf0
>
> John Neffenger has updated the pull request incrementally with one additional commit since the last revision:
>
> Add a README file and update 'UPDATING-lucene.txt'
Yes, there are two updates:
1. As you noted, PR #450 was withdrawn in favor of PR #456, and the latter is now integrated. As a result, there will be no `icudt-64l.zip` file, but you will see a new download artifact, `icu4c-68.2-data-bin-l.zip` once you merge the lastest master into your branch and do a build with WebKit.
2. With the integration of PR #460 this morning, there is a new devkit for Xcode 12.4. Here is the updated list of internal artifacts:
cmake-3.13.3-Darwin-x86_64.tar.gz
cmake-3.13.3-Linux-x86_64.tar.gz
cmake-3.13.3-win32-x86.zip
devkit-linux_x64-gcc10.2.0-OL6.4+1.0.tar.gz
devkit-macosx_x64-Xcode11.3.1-MacOSX10.15+1.0.tar.gz
devkit-macosx-Xcode12.4+1.0.tar.gz
devkit-windows_x64-VS2019-16.7.2+1.0.tar.gz
jfx-devkit-gcc-patch+1.1.tar.gz
ninja-win.zip
Since this should be settled down for now, I'll send you the checksums some time later this week (presuming you have added the media and WebKit artifacts by then).
-------------
PR: https://git.openjdk.java.net/jfx/pull/437
More information about the openjfx-dev
mailing list