On Tue, 23 Feb 2021 17:25:47 GMT, John Neffenger <github.com+1413266+jgn...@openjdk.org> wrote:
> The recent supply-chain attacks in the news are making me nervous! 😟 > > The Gradle 6.3 distribution is the only software on my OpenJFX build system > that doesn't come from an Ubuntu package or a GitHub repository. Ubuntu uses > digital signatures to authenticate each package, and Git uses a secure hash > algorithm to ensure the integrity of each file, but there is no such check of > the Gradle distribution before running it. During my OpenJFX builds, Gradle > is downloaded from a Cloudflare server through an HTTPS proxy server, and > there's no guarantee that it's the same file as the one published by the > Gradle developers. > > This pull requests adds the additional step of verifying the Gradle > distribution on the build system before extracting its archive and running it. > > We might also consider adding the [Gradle Wrapper > Validation](https://github.com/marketplace/actions/gradle-wrapper-validation) > GitHub Action to the OpenJFX repository. I presume that just adding the checksum will enable the validation? This sounds like a _very_ good idea. I'll review / test it. > We might also consider adding the [Gradle Wrapper > Validation](https://github.com/marketplace/actions/gradle-wrapper-validation) > GitHub Action to the OpenJFX repository. Feel free to file a bug and create a PR, if you are interested. I agree that this sounds like a good idea. ------------- PR: https://git.openjdk.java.net/jfx/pull/411
