[prev in list] [next in list] [prev in thread] [next in thread]
List: openjdk-openjfx-dev
Subject: Integrated: 8262236: Configure Gradle checksum verification
From: John Neffenger <github.com+1413266+jgneff () openjdk ! java ! net>
Date: 2021-02-23 19:38:40
Message-ID: rYyeyGuOiRPp3tKBpm_AZUj85ozQl5-9ertM2syE2-o=.766e1d69-3424-4a8c-a07d-46d3059cac3b () github ! com
[Download RAW message or body]
On Tue, 23 Feb 2021 17:25:47 GMT, John Neffenger \
<github.com+1413266+jgneff@openjdk.org> wrote:
> The recent supply-chain attacks in the news are making me nervous! 😟
>
> The Gradle 6.3 distribution is the only software on my OpenJFX build system that \
> doesn't come from an Ubuntu package or a GitHub repository. Ubuntu uses digital \
> signatures to authenticate each package, and Git uses a secure hash algorithm to \
> ensure the integrity of each file, but there is no such check of the Gradle \
> distribution before running it. During my OpenJFX builds, Gradle is downloaded from \
> a Cloudflare server through an HTTPS proxy server, and there's no guarantee that \
> it's the same file as the one published by the Gradle developers.
> This pull requests adds the additional step of verifying the Gradle distribution on \
> the build system before extracting its archive and running it.
> We might also consider adding the [Gradle Wrapper \
> Validation](https://github.com/marketplace/actions/gradle-wrapper-validation) \
> GitHub Action to the OpenJFX repository.
This pull request has now been integrated.
Changeset: dc342d33
Author: John Neffenger <john@status6.com>
Committer: Kevin Rushforth <kcr@openjdk.org>
URL: https://git.openjdk.java.net/jfx/commit/dc342d33
Stats: 1 line in 1 file changed: 1 ins; 0 del; 0 mod
8262236: Configure Gradle checksum verification
Reviewed-by: kcr
-------------
PR: https://git.openjdk.java.net/jfx/pull/411
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic