On Wed, 24 Mar 2021 19:45:55 GMT, John Neffenger <jgn...@openjdk.org> wrote:
>> This pull request adds dependency verification to the Gradle builds of >> JavaFX on Linux, macOS, and Windows. It is the third of three changes that >> close the gaps in the JavaFX build security: >> >> * [JDK-8262236][1]: Configure Gradle checksum verification >> * [JDK-8263204][2]: Add Gradle Wrapper Validation Action >> * [JDK-8264010][3]: Add Gradle dependency verification >> >> "Without dependency verification it's easy for an attacker to compromise >> your supply chain," warns the [Gradle User Guide][4]. All three changes come >> from conference talks by members of the Gradle team, available as [PDF >> slides][5] or on YouTube in the following two videos: >> >> * [Cédric Champeau at Devoxx][6] in November 2019 >> * [Louis Jacomet at Jfokus][7] in February 2020 >> >> "We all run in a crazy-unsafe environment, in a way," says Louis Jacomet at >> the end of his talk. These three changes make it just a little less >> crazy-unsafe for all of us building JavaFX, regardless of our system, >> network, or country. >> >> [1]: https://bugs.openjdk.java.net/browse/JDK-8262236 >> [2]: https://bugs.openjdk.java.net/browse/JDK-8263204 >> [3]: https://bugs.openjdk.java.net/browse/JDK-8264010 >> >> [4]: https://docs.gradle.org/current/userguide/dependency_verification.html >> [5]: >> https://www.jfokus.se/jfokus20-preso/Protecting-your-organization-against-attacks-via-the-build-system.pdf >> [6]: https://youtu.be/GWGNp3a3hpk >> [7]: https://youtu.be/bwiafNatsf0 > > John Neffenger has updated the pull request incrementally with one additional > commit since the last revision: > > Add a README file and update 'UPDATING-lucene.txt' Yes, there are two updates: 1. As you noted, PR #450 was withdrawn in favor of PR #456, and the latter is now integrated. As a result, there will be no `icudt-64l.zip` file, but you will see a new download artifact, `icu4c-68.2-data-bin-l.zip` once you merge the lastest master into your branch and do a build with WebKit. 2. With the integration of PR #460 this morning, there is a new devkit for Xcode 12.4. Here is the updated list of internal artifacts: cmake-3.13.3-Darwin-x86_64.tar.gz cmake-3.13.3-Linux-x86_64.tar.gz cmake-3.13.3-win32-x86.zip devkit-linux_x64-gcc10.2.0-OL6.4+1.0.tar.gz devkit-macosx_x64-Xcode11.3.1-MacOSX10.15+1.0.tar.gz devkit-macosx-Xcode12.4+1.0.tar.gz devkit-windows_x64-VS2019-16.7.2+1.0.tar.gz jfx-devkit-gcc-patch+1.1.tar.gz ninja-win.zip Since this should be settled down for now, I'll send you the checksums some time later this week (presuming you have added the media and WebKit artifacts by then). ------------- PR: https://git.openjdk.java.net/jfx/pull/437
