Integrated: 8262236: Configure Gradle checksum verification
John Neffenger
github.com+1413266+jgneff at openjdk.java.net
Tue Feb 23 19:38:40 UTC 2021
On Tue, 23 Feb 2021 17:25:47 GMT, John Neffenger <github.com+1413266+jgneff at openjdk.org> wrote:
> The recent supply-chain attacks in the news are making me nervous! ��
>
> The Gradle 6.3 distribution is the only software on my OpenJFX build system that doesn't come from an Ubuntu package or a GitHub repository. Ubuntu uses digital signatures to authenticate each package, and Git uses a secure hash algorithm to ensure the integrity of each file, but there is no such check of the Gradle distribution before running it. During my OpenJFX builds, Gradle is downloaded from a Cloudflare server through an HTTPS proxy server, and there's no guarantee that it's the same file as the one published by the Gradle developers.
>
> This pull requests adds the additional step of verifying the Gradle distribution on the build system before extracting its archive and running it.
>
> We might also consider adding the [Gradle Wrapper Validation](https://github.com/marketplace/actions/gradle-wrapper-validation) GitHub Action to the OpenJFX repository.
This pull request has now been integrated.
Changeset: dc342d33
Author: John Neffenger <john at status6.com>
Committer: Kevin Rushforth <kcr at openjdk.org>
URL: https://git.openjdk.java.net/jfx/commit/dc342d33
Stats: 1 line in 1 file changed: 1 ins; 0 del; 0 mod
8262236: Configure Gradle checksum verification
Reviewed-by: kcr
-------------
PR: https://git.openjdk.java.net/jfx/pull/411
More information about the openjfx-dev
mailing list