RFR: 8262236: Configure Gradle checksum verification
John Neffenger
github.com+1413266+jgneff at openjdk.java.net
Tue Feb 23 17:29:56 UTC 2021
The recent supply-chain attacks in the news are making me nervous! ��
The Gradle 6.3 distribution is the only software on my OpenJFX build system that doesn't come from an Ubuntu package or a GitHub repository. Ubuntu uses digital signatures to authenticate each package, and Git uses a secure hash algorithm to ensure the integrity of each file, but there is no such check of the Gradle distribution before running it. During my OpenJFX builds, Gradle is downloaded from a Cloudflare server through an HTTPS proxy server, and there's no guarantee that it's the same file as the one published by the Gradle developers.
This pull requests adds the additional step of verifying the Gradle distribution on the build system before extracting its archive and running it.
We might also consider adding the [Gradle Wrapper Validation](https://github.com/marketplace/actions/gradle-wrapper-validation) GitHub Action to the OpenJFX repository.
-------------
Commit messages:
- Configure Gradle checksum verification
Changes: https://git.openjdk.java.net/jfx/pull/411/files
Webrev: https://webrevs.openjdk.java.net/?repo=jfx&pr=411&range=00
Issue: https://bugs.openjdk.java.net/browse/JDK-8262236
Stats: 1 line in 1 file changed: 1 ins; 0 del; 0 mod
Patch: https://git.openjdk.java.net/jfx/pull/411.diff
Fetch: git fetch https://git.openjdk.java.net/jfx pull/411/head:pull/411
PR: https://git.openjdk.java.net/jfx/pull/411
More information about the openjfx-dev
mailing list