Integrated: 8264010: Add Gradle dependency verification

[John Neffenger]

On Tue, 23 Mar 2021 05:32:04 GMT, John Neffenger <jgneff at openjdk.org> wrote:

> This pull request adds dependency verification to the Gradle builds of JavaFX on Linux, macOS, and Windows. It is the third of three changes that close the gaps in the JavaFX build security:
> 
> * [JDK-8262236][1]: Configure Gradle checksum verification
> * [JDK-8263204][2]: Add Gradle Wrapper Validation Action
> * [JDK-8264010][3]: Add Gradle dependency verification
> 
> "Without dependency verification it's easy for an attacker to compromise your supply chain," warns the [Gradle User Guide][4]. All three changes come from conference talks by members of the Gradle team, available as [PDF slides][5] or on YouTube in the following two videos:
> 
> * [Cédric Champeau at Devoxx][6] in November 2019
> * [Louis Jacomet at Jfokus][7] in February 2020
> 
> "We all run in a crazy-unsafe environment, in a way," says Louis Jacomet at the end of his talk. These three changes make it just a little less crazy-unsafe for all of us building JavaFX, regardless of our system, network, or country.
> 
> [1]: https://bugs.openjdk.java.net/browse/JDK-8262236
> [2]: https://bugs.openjdk.java.net/browse/JDK-8263204
> [3]: https://bugs.openjdk.java.net/browse/JDK-8264010
> 
> [4]: https://docs.gradle.org/current/userguide/dependency_verification.html
> [5]: https://www.jfokus.se/jfokus20-preso/Protecting-your-organization-against-attacks-via-the-build-system.pdf
> [6]: https://youtu.be/GWGNp3a3hpk
> [7]: https://youtu.be/bwiafNatsf0

This pull request has now been integrated.

Changeset: a9f6035c
Author:    John Neffenger <jgneff at openjdk.org>
URL:       https://git.openjdk.java.net/jfx/commit/a9f6035c9c1d4dc60aa960498d8dbb5e52827017
Stats:     325 lines in 3 files changed: 313 ins; 4 del; 8 mod

8264010: Add Gradle dependency verification

Co-authored-by: Kevin Rushforth <kcr at openjdk.org>
Reviewed-by: kcr, jvos

-------------

PR: https://git.openjdk.java.net/jfx/pull/437