On Tue, 23 Feb 2021 18:57:59 GMT, Kevin Rushforth <k...@openjdk.org> wrote:
>> The recent supply-chain attacks in the news are making me nervous! 😟 >> >> The Gradle 6.3 distribution is the only software on my OpenJFX build system >> that doesn't come from an Ubuntu package or a GitHub repository. Ubuntu uses >> digital signatures to authenticate each package, and Git uses a secure hash >> algorithm to ensure the integrity of each file, but there is no such check >> of the Gradle distribution before running it. During my OpenJFX builds, >> Gradle is downloaded from a Cloudflare server through an HTTPS proxy server, >> and there's no guarantee that it's the same file as the one published by the >> Gradle developers. >> >> This pull requests adds the additional step of verifying the Gradle >> distribution on the build system before extracting its archive and running >> it. >> >> We might also consider adding the [Gradle Wrapper >> Validation](https://github.com/marketplace/actions/gradle-wrapper-validation) >> GitHub Action to the OpenJFX repository. > > Looks good. I confirmed that the checksum is correct, and that a bad checksum > will fail the build. > > > > > We might also consider adding the [Gradle Wrapper > > > Validation](https://github.com/marketplace/actions/gradle-wrapper-validation) > > > GitHub Action to the OpenJFX repository. > > > > > > Feel free to file a bug and create a PR, if you are interested. I agree > > that this sounds like a good idea. > > Isn't this configured directly through GitHub rather than with a pull request? My reading of it [here](https://github.com/marketplace/actions/gradle-wrapper-validation#add-to-an-existing-workflow) is that we would add this action as a step to our workflow script, which is in [.github/workflows/submit.yml](https://github.com/openjdk/jfx/blob/master/.github/workflows/submit.yml). > Once that GitHub Action is added, I was thinking of following up with a pull > request that upgrades the Gradle Wrapper to version 6.3. The older wrapper is > probably fine, but I think we should keep the Wrapper at the same version as > the distribution it downloads. As you noticed, I generally haven't done that when updating gradle versions, but I can see the value in doing so. Since the gradle wrapper is a third-party file that needs to be checked into the repo, someone from Oracle needs to integrate it. As long as it's not causing any problems, I think I'd rather wait until the next time this comes up. ------------- PR: https://git.openjdk.java.net/jfx/pull/411
