'Re: RFR: 8264010: Add Gradle dependency verification [v5]'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-openjfx-dev
Subject:    Re: RFR: 8264010: Add Gradle dependency verification [v5]
From:       Kevin Rushforth <kcr () openjdk ! java ! net>
Date:       2021-04-30 17:04:58
Message-ID: cc2o75mnny3eNyyIwNQD-GPenJ_N-Gfdt8Eb_sXhmGo=.213f243d-e38f-4f78-a9b7-bd4de8eb87f4 () github ! com
[Download RAW message or body]

On Thu, 29 Apr 2021 23:52:30 GMT, John Neffenger <jgneff@openjdk.org> wrote:

> > This pull request adds dependency verification to the Gradle builds of JavaFX on \
> > Linux, macOS, and Windows. It is the third of three changes that close the gaps \
> > in the JavaFX build security: 
> > * [JDK-8262236][1]: Configure Gradle checksum verification
> > * [JDK-8263204][2]: Add Gradle Wrapper Validation Action
> > * [JDK-8264010][3]: Add Gradle dependency verification
> > 
> > "Without dependency verification it's easy for an attacker to compromise your \
> > supply chain," warns the [Gradle User Guide][4]. All three changes come from \
> > conference talks by members of the Gradle team, available as [PDF slides][5] or \
> > on YouTube in the following two videos: 
> > * [Cédric Champeau at Devoxx][6] in November 2019
> > * [Louis Jacomet at Jfokus][7] in February 2020
> > 
> > "We all run in a crazy-unsafe environment, in a way," says Louis Jacomet at the \
> > end of his talk. These three changes make it just a little less crazy-unsafe for \
> > all of us building JavaFX, regardless of our system, network, or country. 
> > [1]: https://bugs.openjdk.java.net/browse/JDK-8262236
> > [2]: https://bugs.openjdk.java.net/browse/JDK-8263204
> > [3]: https://bugs.openjdk.java.net/browse/JDK-8264010
> > 
> > [4]: https://docs.gradle.org/current/userguide/dependency_verification.html
> > [5]: https://www.jfokus.se/jfokus20-preso/Protecting-your-organization-against-attacks-via-the-build-system.pdf
> >  [6]: https://youtu.be/GWGNp3a3hpk
> > [7]: https://youtu.be/bwiafNatsf0
> 
> John Neffenger has updated the pull request with a new target base due to a merge \
> or a rebase. The incremental webrev excludes the unrelated changes brought in by \
> the merge/rebase. The pull request contains ten additional commits since the last \
> revision: 
> - Add more details to the instructions in the README
> 
> Add more details to the file 'gradle/README.txt' on how to create and
> update the dependency verification file for Linux, macOS, Windows, and
> the internal Oracle builds.
> - Remove older unused Oracle internal dependencies
> - Add two more Oracle internal dependencies
> - Merge branch 'master' into dependency-verification
> - Add dependencies for internal builds at Oracle
> - Add dependencies for media and WebKit libraries
> - Merge branch 'master' into dependency-verification
> - Add a README file and update 'UPDATING-lucene.txt'
> - 8264010: Add Gradle dependency verification

PR #482 is now integrated, so once you get a second review, from Johan, you can \
integrate this.

-------------

PR: https://git.openjdk.java.net/jfx/pull/437


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic