On Tue, 23 Mar 2021 05:32:04 GMT, John Neffenger <jgn...@openjdk.org> wrote:
> This pull request adds dependency verification to the Gradle builds of JavaFX > on Linux, macOS, and Windows. It is the third of three changes that close the > gaps in the JavaFX build security: > > * [JDK-8262236][1]: Configure Gradle checksum verification > * [JDK-8263204][2]: Add Gradle Wrapper Validation Action > * [JDK-8264010][3]: Add Gradle dependency verification > > "Without dependency verification it's easy for an attacker to compromise your > supply chain," warns the [Gradle User Guide][4]. All three changes come from > conference talks by members of the Gradle team, available as [PDF slides][5] > or on YouTube in the following two videos: > > * [Cédric Champeau at Devoxx][6] in November 2019 > * [Louis Jacomet at Jfokus][7] in February 2020 > > "We all run in a crazy-unsafe environment," says Louis Jacomet at the end of > his talk. These three changes make it just a little less crazy-unsafe for all > of us building JavaFX, regardless of our system, network, or country. > > [1]: https://bugs.openjdk.java.net/browse/JDK-8262236 > [2]: https://bugs.openjdk.java.net/browse/JDK-8263204 > [3]: https://bugs.openjdk.java.net/browse/JDK-8264010 > > [4]: https://docs.gradle.org/current/userguide/dependency_verification.html > [5]: > https://www.jfokus.se/jfokus20-preso/Protecting-your-organization-against-attacks-via-the-build-system.pdf > [6]: https://youtu.be/GWGNp3a3hpk > [7]: https://youtu.be/bwiafNatsf0 This seems like a good idea to do. I have a couple overall questions before reviewing / testing. 1. Can you add some sort of README file that describes the how to update the checksums? Also, the instructions in [UPDATING-lucene.txt](https://github.com/openjdk/jfx/blob/master/apps/samples/Ensemble8/UPDATING-lucene.txt) should be updated accordingly. 2. Some of the files listed are not used directly. I presume that you added them because they are used indirectly by other components? Are all of them actually needed? ------------- PR: https://git.openjdk.java.net/jfx/pull/437