Re: RFR: 8264010: Add Gradle dependency verification [v2]

Wed, 24 Mar 2021 12:47:15 -0700 

> This pull request adds dependency verification to the Gradle builds of JavaFX 
> on Linux, macOS, and Windows. It is the third of three changes that close the 
> gaps in the JavaFX build security:
> 
> * [JDK-8262236][1]: Configure Gradle checksum verification
> * [JDK-8263204][2]: Add Gradle Wrapper Validation Action
> * [JDK-8264010][3]: Add Gradle dependency verification
> 
> "Without dependency verification it's easy for an attacker to compromise your 
> supply chain," warns the [Gradle User Guide][4]. All three changes come from 
> conference talks by members of the Gradle team, available as [PDF slides][5] 
> or on YouTube in the following two videos:
> 
> * [Cédric Champeau at Devoxx][6] in November 2019
> * [Louis Jacomet at Jfokus][7] in February 2020
> 
> "We all run in a crazy-unsafe environment," says Louis Jacomet at the end of 
> his talk. These three changes make it just a little less crazy-unsafe for all 
> of us building JavaFX, regardless of our system, network, or country.
> 
> [1]: https://bugs.openjdk.java.net/browse/JDK-8262236
> [2]: https://bugs.openjdk.java.net/browse/JDK-8263204
> [3]: https://bugs.openjdk.java.net/browse/JDK-8264010
> 
> [4]: https://docs.gradle.org/current/userguide/dependency_verification.html
> [5]: 
> https://www.jfokus.se/jfokus20-preso/Protecting-your-organization-against-attacks-via-the-build-system.pdf
> [6]: https://youtu.be/GWGNp3a3hpk
> [7]: https://youtu.be/bwiafNatsf0

John Neffenger has updated the pull request incrementally with one additional 
commit since the last revision:

  Add a README file and update 'UPDATING-lucene.txt'

-------------

Changes:
  - all: https://git.openjdk.java.net/jfx/pull/437/files
  - new: https://git.openjdk.java.net/jfx/pull/437/files/2a11d401..c7ac7f62

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jfx&pr=437&range=01
 - incr: https://webrevs.openjdk.java.net/?repo=jfx&pr=437&range=00-01

  Stats: 53 lines in 2 files changed: 41 ins; 4 del; 8 mod
  Patch: https://git.openjdk.java.net/jfx/pull/437.diff
  Fetch: git fetch https://git.openjdk.java.net/jfx pull/437/head:pull/437

PR: https://git.openjdk.java.net/jfx/pull/437

Reply via email to