On Tue, 23 Feb 2021 17:25:47 GMT, John Neffenger <github.com+1413266+jgn...@openjdk.org> wrote:
> The recent supply-chain attacks in the news are making me nervous! 😟 > > The Gradle 6.3 distribution is the only software on my OpenJFX build system > that doesn't come from an Ubuntu package or a GitHub repository. Ubuntu uses > digital signatures to authenticate each package, and Git uses a secure hash > algorithm to ensure the integrity of each file, but there is no such check of > the Gradle distribution before running it. During my OpenJFX builds, Gradle > is downloaded from a Cloudflare server through an HTTPS proxy server, and > there's no guarantee that it's the same file as the one published by the > Gradle developers. > > This pull requests adds the additional step of verifying the Gradle > distribution on the build system before extracting its archive and running it. > > We might also consider adding the [Gradle Wrapper > Validation](https://github.com/marketplace/actions/gradle-wrapper-validation) > GitHub Action to the OpenJFX repository. This pull request has now been integrated. Changeset: dc342d33 Author: John Neffenger <j...@status6.com> Committer: Kevin Rushforth <k...@openjdk.org> URL: https://git.openjdk.java.net/jfx/commit/dc342d33 Stats: 1 line in 1 file changed: 1 ins; 0 del; 0 mod 8262236: Configure Gradle checksum verification Reviewed-by: kcr ------------- PR: https://git.openjdk.java.net/jfx/pull/411
