RFR: 8262236: Configure Gradle checksum verification

Tue Feb 23 19:07:40 UTC 2021

On Tue, 23 Feb 2021 18:57:59 GMT, Kevin Rushforth <kcr at openjdk.org> wrote:

>> The recent supply-chain attacks in the news are making me nervous! ��
>> 
>> The Gradle 6.3 distribution is the only software on my OpenJFX build system that doesn't come from an Ubuntu package or a GitHub repository. Ubuntu uses digital signatures to authenticate each package, and Git uses a secure hash algorithm to ensure the integrity of each file, but there is no such check of the Gradle distribution before running it. During my OpenJFX builds, Gradle is downloaded from a Cloudflare server through an HTTPS proxy server, and there's no guarantee that it's the same file as the one published by the Gradle developers.
>> 
>> This pull requests adds the additional step of verifying the Gradle distribution on the build system before extracting its archive and running it.
>> 
>> We might also consider adding the [Gradle Wrapper Validation](https://github.com/marketplace/actions/gradle-wrapper-validation) GitHub Action to the OpenJFX repository.
>
> Looks good. I confirmed that the checksum is correct, and that a bad checksum will fail the build.

> 
> 
> > > We might also consider adding the [Gradle Wrapper Validation](https://github.com/marketplace/actions/gradle-wrapper-validation) GitHub Action to the OpenJFX repository.
> > 
> > 
> > Feel free to file a bug and create a PR, if you are interested. I agree that this sounds like a good idea.
> 
> Isn't this configured directly through GitHub rather than with a pull request?

My reading of it [here](https://github.com/marketplace/actions/gradle-wrapper-validation#add-to-an-existing-workflow) is that we would add this action as a step to our workflow script, which is in [.github/workflows/submit.yml](https://github.com/openjdk/jfx/blob/master/.github/workflows/submit.yml).

> Once that GitHub Action is added, I was thinking of following up with a pull request that upgrades the Gradle Wrapper to version 6.3. The older wrapper is probably fine, but I think we should keep the Wrapper at the same version as the distribution it downloads.

As you noticed, I generally haven't done that when updating gradle versions, but I can see the value in doing so. Since the gradle wrapper is a third-party file that needs to be checked into the repo, someone from Oracle needs to integrate it. As long as it's not causing any problems, I think I'd rather wait until the next time this comes up.

-------------

PR: https://git.openjdk.java.net/jfx/pull/411