RFR: 8264010: Add Gradle dependency verification

Kevin Rushforth kcr at openjdk.java.net
Wed Mar 24 19:57:39 UTC 2021 

On Wed, 24 Mar 2021 19:50:11 GMT, John Neffenger <jgneff at openjdk.org> wrote:

>> This seems like a good idea to do. I have a couple overall questions before reviewing / testing.
>> 
>> 1. Can you add some sort of README file that describes the how to update the checksums? Also, the instructions in [UPDATING-lucene.txt](https://github.com/openjdk/jfx/blob/master/apps/samples/Ensemble8/UPDATING-lucene.txt) should be updated accordingly.
>> 2. Some of the files listed are not used directly. I presume that you added them because they are used indirectly by other components? Are all of them actually needed?
>
> Thanks, Kevin. I added a README file and updated the Lucene instructions, as you suggested. I'm open to any other suggestions on the wording or formatting, no matter how minor.
> 
>> Some of the files listed are not used directly. I presume that you added them because they are used indirectly by other components? Are all of them actually needed?
> 
> The Gradle command, now documented in the `gradle/README.txt` file, adds entries to the dependency verification file for all dependencies, including transitive ones. I think that's the list of everything downloaded during the builds on Linux, macOS, and Windows. I'll clear the Gradle cache and double-check it now. I'll let you know if I find anything unexpected.

Thanks for providing / updating the instructions.

My internal test build failed right off the bat, since we have a supplemental closed gradle file that augments the build and downloads additional build tools for our internal CI machines.

I don't yet know to handle this, since there is a single, global `validation.xml` file and no way that I know of to supplement this. This validation file must contain all artifacts that gradle downloads (and their transitive dependencies). From the gradle docs:

> A dependency verification configuration is global: a single file is used to configure verification of the whole build. In particular, the same file is used for both the (sub)projects and buildSrc.

-------------

PR: https://git.openjdk.java.net/jfx/pull/437

More information about the openjfx-dev mailing list