RFR: 8264010: Add Gradle dependency verification [v3]

Kevin Rushforth kcr at openjdk.java.net
Sat Apr 17 21:37:36 UTC 2021 

On Wed, 14 Apr 2021 04:32:29 GMT, John Neffenger <jgneff at openjdk.org> wrote:

>> This pull request adds dependency verification to the Gradle builds of JavaFX on Linux, macOS, and Windows. It is the third of three changes that close the gaps in the JavaFX build security:
>> 
>> * [JDK-8262236][1]: Configure Gradle checksum verification
>> * [JDK-8263204][2]: Add Gradle Wrapper Validation Action
>> * [JDK-8264010][3]: Add Gradle dependency verification
>> 
>> "Without dependency verification it's easy for an attacker to compromise your supply chain," warns the [Gradle User Guide][4]. All three changes come from conference talks by members of the Gradle team, available as [PDF slides][5] or on YouTube in the following two videos:
>> 
>> * [Cédric Champeau at Devoxx][6] in November 2019
>> * [Louis Jacomet at Jfokus][7] in February 2020
>> 
>> "We all run in a crazy-unsafe environment, in a way," says Louis Jacomet at the end of his talk. These three changes make it just a little less crazy-unsafe for all of us building JavaFX, regardless of our system, network, or country.
>> 
>> [1]: https://bugs.openjdk.java.net/browse/JDK-8262236
>> [2]: https://bugs.openjdk.java.net/browse/JDK-8263204
>> [3]: https://bugs.openjdk.java.net/browse/JDK-8264010
>> 
>> [4]: https://docs.gradle.org/current/userguide/dependency_verification.html
>> [5]: https://www.jfokus.se/jfokus20-preso/Protecting-your-organization-against-attacks-via-the-build-system.pdf
>> [6]: https://youtu.be/GWGNp3a3hpk
>> [7]: https://youtu.be/bwiafNatsf0
>
> John Neffenger has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains four additional commits since the last revision:
> 
>  - Add dependencies for media and WebKit libraries
>  - Merge branch 'master' into dependency-verification
>  - Add a README file and update 'UPDATING-lucene.txt'
>  - 8264010: Add Gradle dependency verification

Yeah, I noticed that about the names, too. Not sure it's worth worrying about, although it is a little odd.

Btw, I have the final list of internal downloads that I'll pass on to you, so you can add them to the PR. I've done a CI build with this version of `verification.xml` and it passes.

You can see the diffs here: kevinrushforth/jfx at ce1aefaae76c5197008ab6a7d09ae89b5deb8ba4

-------------

PR: https://git.openjdk.java.net/jfx/pull/437

More information about the openjfx-dev mailing list