RFR: 8264010: Add Gradle dependency verification [v5]
John Neffenger
jgneff at openjdk.java.net
Thu Apr 29 23:52:30 UTC 2021
> This pull request adds dependency verification to the Gradle builds of JavaFX on Linux, macOS, and Windows. It is the third of three changes that close the gaps in the JavaFX build security:
>
> * [JDK-8262236][1]: Configure Gradle checksum verification
> * [JDK-8263204][2]: Add Gradle Wrapper Validation Action
> * [JDK-8264010][3]: Add Gradle dependency verification
>
> "Without dependency verification it's easy for an attacker to compromise your supply chain," warns the [Gradle User Guide][4]. All three changes come from conference talks by members of the Gradle team, available as [PDF slides][5] or on YouTube in the following two videos:
>
> * [Cédric Champeau at Devoxx][6] in November 2019
> * [Louis Jacomet at Jfokus][7] in February 2020
>
> "We all run in a crazy-unsafe environment, in a way," says Louis Jacomet at the end of his talk. These three changes make it just a little less crazy-unsafe for all of us building JavaFX, regardless of our system, network, or country.
>
> [1]: https://bugs.openjdk.java.net/browse/JDK-8262236
> [2]: https://bugs.openjdk.java.net/browse/JDK-8263204
> [3]: https://bugs.openjdk.java.net/browse/JDK-8264010
>
> [4]: https://docs.gradle.org/current/userguide/dependency_verification.html
> [5]: https://www.jfokus.se/jfokus20-preso/Protecting-your-organization-against-attacks-via-the-build-system.pdf
> [6]: https://youtu.be/GWGNp3a3hpk
> [7]: https://youtu.be/bwiafNatsf0
John Neffenger has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains ten additional commits since the last revision:
- Add more details to the instructions in the README
Add more details to the file 'gradle/README.txt' on how to create and
update the dependency verification file for Linux, macOS, Windows, and
the internal Oracle builds.
- Remove older unused Oracle internal dependencies
- Add two more Oracle internal dependencies
- Merge branch 'master' into dependency-verification
- Add dependencies for internal builds at Oracle
- Add dependencies for media and WebKit libraries
- Merge branch 'master' into dependency-verification
- Add a README file and update 'UPDATING-lucene.txt'
- 8264010: Add Gradle dependency verification
-------------
Changes:
- all: https://git.openjdk.java.net/jfx/pull/437/files
- new: https://git.openjdk.java.net/jfx/pull/437/files/b0435b29..75fa032e
Webrevs:
- full: https://webrevs.openjdk.java.net/?repo=jfx&pr=437&range=04
- incr: https://webrevs.openjdk.java.net/?repo=jfx&pr=437&range=03-04
Stats: 3879 lines in 71 files changed: 3202 ins; 428 del; 249 mod
Patch: https://git.openjdk.java.net/jfx/pull/437.diff
Fetch: git fetch https://git.openjdk.java.net/jfx pull/437/head:pull/437
PR: https://git.openjdk.java.net/jfx/pull/437
More information about the openjfx-dev
mailing list