This pull request adds dependency verification to the Gradle builds of JavaFX on Linux, macOS, and Windows. It is the third of three changes that close the gaps in the JavaFX build security:
* [JDK-8262236][1]: Configure Gradle checksum verification * [JDK-8263204][2]: Add Gradle Wrapper Validation Action * [JDK-8264010][3]: Add Gradle dependency verification "Without dependency verification it's easy for an attacker to compromise your supply chain," warns the [Gradle User Guide][4]. All three changes come from conference talks by members of the Gradle team, available as [PDF slides][5] or on YouTube in the following two videos: * [Cédric Champeau at Devoxx][6] in November 2019 * [Louis Jacomet at Jfokus][7] in February 2020 "We all run in a crazy-unsafe environment," says Louis Jacomet at the end of his talk. These three changes make it just a little less crazy-unsafe for all of us building JavaFX, regardless of our system, network, or country. [1]: https://bugs.openjdk.java.net/browse/JDK-8262236 [2]: https://bugs.openjdk.java.net/browse/JDK-8263204 [3]: https://bugs.openjdk.java.net/browse/JDK-8264010 [4]: https://docs.gradle.org/current/userguide/dependency_verification.html [5]: https://www.jfokus.se/jfokus20-preso/Protecting-your-organization-against-attacks-via-the-build-system.pdf [6]: https://youtu.be/GWGNp3a3hpk [7]: https://youtu.be/bwiafNatsf0 ------------- Commit messages: - 8264010: Add Gradle dependency verification Changes: https://git.openjdk.java.net/jfx/pull/437/files Webrev: https://webrevs.openjdk.java.net/?repo=jfx&pr=437&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8264010 Stats: 173 lines in 1 file changed: 173 ins; 0 del; 0 mod Patch: https://git.openjdk.java.net/jfx/pull/437.diff Fetch: git fetch https://git.openjdk.java.net/jfx pull/437/head:pull/437 PR: https://git.openjdk.java.net/jfx/pull/437
