On Tue, 23 Mar 2021 12:07:48 GMT, Kevin Rushforth <k...@openjdk.org> wrote:
>> This pull request adds dependency verification to the Gradle builds of >> JavaFX on Linux, macOS, and Windows. It is the third of three changes that >> close the gaps in the JavaFX build security: >> >> * [JDK-8262236][1]: Configure Gradle checksum verification >> * [JDK-8263204][2]: Add Gradle Wrapper Validation Action >> * [JDK-8264010][3]: Add Gradle dependency verification >> >> "Without dependency verification it's easy for an attacker to compromise >> your supply chain," warns the [Gradle User Guide][4]. All three changes come >> from conference talks by members of the Gradle team, available as [PDF >> slides][5] or on YouTube in the following two videos: >> >> * [Cédric Champeau at Devoxx][6] in November 2019 >> * [Louis Jacomet at Jfokus][7] in February 2020 >> >> "We all run in a crazy-unsafe environment," says Louis Jacomet at the end of >> his talk. These three changes make it just a little less crazy-unsafe for >> all of us building JavaFX, regardless of our system, network, or country. >> >> [1]: https://bugs.openjdk.java.net/browse/JDK-8262236 >> [2]: https://bugs.openjdk.java.net/browse/JDK-8263204 >> [3]: https://bugs.openjdk.java.net/browse/JDK-8264010 >> >> [4]: https://docs.gradle.org/current/userguide/dependency_verification.html >> [5]: >> https://www.jfokus.se/jfokus20-preso/Protecting-your-organization-against-attacks-via-the-build-system.pdf >> [6]: https://youtu.be/GWGNp3a3hpk >> [7]: https://youtu.be/bwiafNatsf0 > > This seems like a good idea to do. I have a couple overall questions before > reviewing / testing. > > 1. Can you add some sort of README file that describes the how to update the > checksums? Also, the instructions in > [UPDATING-lucene.txt](https://github.com/openjdk/jfx/blob/master/apps/samples/Ensemble8/UPDATING-lucene.txt) > should be updated accordingly. > 2. Some of the files listed are not used directly. I presume that you added > them because they are used indirectly by other components? Are all of them > actually needed? Thanks, Kevin. I added a README file and updated the Lucene instructions, as you suggested. I'm open to any other suggestions on the wording or formatting, no matter how minor. > Some of the files listed are not used directly. I presume that you added them > because they are used indirectly by other components? Are all of them > actually needed? The Gradle command, now documented in the `gradle/README.txt` file, adds entries to the dependency verification file for all dependencies, including transitive ones. I think that's the list of everything downloaded during the builds on Linux, macOS, and Windows. I'll clear the Gradle cache and double-check it now. I'll let you know if I find anything unexpected. ------------- PR: https://git.openjdk.java.net/jfx/pull/437
