RFR: 8262236: Configure Gradle checksum verification
Kevin Rushforth
kcr at openjdk.java.net
Tue Feb 23 19:00:40 UTC 2021
On Tue, 23 Feb 2021 17:25:47 GMT, John Neffenger <github.com+1413266+jgneff at openjdk.org> wrote:
> The recent supply-chain attacks in the news are making me nervous! ��
>
> The Gradle 6.3 distribution is the only software on my OpenJFX build system that doesn't come from an Ubuntu package or a GitHub repository. Ubuntu uses digital signatures to authenticate each package, and Git uses a secure hash algorithm to ensure the integrity of each file, but there is no such check of the Gradle distribution before running it. During my OpenJFX builds, Gradle is downloaded from a Cloudflare server through an HTTPS proxy server, and there's no guarantee that it's the same file as the one published by the Gradle developers.
>
> This pull requests adds the additional step of verifying the Gradle distribution on the build system before extracting its archive and running it.
>
> We might also consider adding the [Gradle Wrapper Validation](https://github.com/marketplace/actions/gradle-wrapper-validation) GitHub Action to the OpenJFX repository.
Looks good. I confirmed that the checksum is correct, and that a bad checksum will fail the build.
-------------
Marked as reviewed by kcr (Lead).
PR: https://git.openjdk.java.net/jfx/pull/411
More information about the openjfx-dev
mailing list