RFR: 8264010: Add Gradle dependency verification [v4]
Kevin Rushforth
kcr at openjdk.java.net
Mon Apr 19 13:53:43 UTC 2021
On Sat, 17 Apr 2021 23:17:04 GMT, John Neffenger <jgneff at openjdk.org> wrote:
>> This pull request adds dependency verification to the Gradle builds of JavaFX on Linux, macOS, and Windows. It is the third of three changes that close the gaps in the JavaFX build security:
>>
>> * [JDK-8262236][1]: Configure Gradle checksum verification
>> * [JDK-8263204][2]: Add Gradle Wrapper Validation Action
>> * [JDK-8264010][3]: Add Gradle dependency verification
>>
>> "Without dependency verification it's easy for an attacker to compromise your supply chain," warns the [Gradle User Guide][4]. All three changes come from conference talks by members of the Gradle team, available as [PDF slides][5] or on YouTube in the following two videos:
>>
>> * [Cédric Champeau at Devoxx][6] in November 2019
>> * [Louis Jacomet at Jfokus][7] in February 2020
>>
>> "We all run in a crazy-unsafe environment, in a way," says Louis Jacomet at the end of his talk. These three changes make it just a little less crazy-unsafe for all of us building JavaFX, regardless of our system, network, or country.
>>
>> [1]: https://bugs.openjdk.java.net/browse/JDK-8262236
>> [2]: https://bugs.openjdk.java.net/browse/JDK-8263204
>> [3]: https://bugs.openjdk.java.net/browse/JDK-8264010
>>
>> [4]: https://docs.gradle.org/current/userguide/dependency_verification.html
>> [5]: https://www.jfokus.se/jfokus20-preso/Protecting-your-organization-against-attacks-via-the-build-system.pdf
>> [6]: https://youtu.be/GWGNp3a3hpk
>> [7]: https://youtu.be/bwiafNatsf0
>
> John Neffenger has updated the pull request incrementally with one additional commit since the last revision:
>
> Add dependencies for internal builds at Oracle
Looks good, with one comment on the new `README.txt` file.
gradle/README.txt line 10:
> 8: dependency verification file as follows:
> 9:
> 10: $ gradle --write-verification-metadata sha256 help
This isn't sufficient for many of the dependencies. Gradle won't try to download external dependencies until the point they are used. For example: the `junit` dependency is downloaded only when running `gradle test`, the icu data dependency is downloaded only when building the sdk with `-PCOMPILE_WEBKIT=true`, the libav media libraries (for Linux) are downloaded only when building the sdk with `-PCOMPILE_MEDIA=true -PBUILD_LIBAV_STUBS=true`, etc.
-------------
PR: https://git.openjdk.java.net/jfx/pull/437
More information about the openjfx-dev
mailing list