RFR: 8264010: Add Gradle dependency verification
John Neffenger
jgneff at openjdk.java.net
Wed Mar 24 21:08:40 UTC 2021
On Wed, 24 Mar 2021 19:55:20 GMT, Kevin Rushforth <kcr at openjdk.org> wrote:
> I don't yet know to handle this ...
Would any of the following options work?
1. If you're using your own supplemental closed Gradle build file, create your own supplemental closed Gradle verification file, too. Before the internal build, replace the current file with your own.
2. Remove the verification file before running your internal build. In this case, though, you'll also lose its protection against software supply-chain attacks.
3. Add your internal dependency checksum entries to the public verification file and publish the updated file in the repository.
I think the protection from the verification file is worth having as a default in the public repository. Gluon, Oracle, BellSoft, and anyone else building JavaFX can decide, based on their own security assessment, whether or not they want to use it. The point of including the file in the repository is to make that decision explicit.
-------------
PR: https://git.openjdk.java.net/jfx/pull/437
More information about the openjfx-dev
mailing list