> This pull request adds dependency verification to the Gradle builds of JavaFX > on Linux, macOS, and Windows. It is the third of three changes that close the > gaps in the JavaFX build security: > > * [JDK-8262236][1]: Configure Gradle checksum verification > * [JDK-8263204][2]: Add Gradle Wrapper Validation Action > * [JDK-8264010][3]: Add Gradle dependency verification > > "Without dependency verification it's easy for an attacker to compromise your > supply chain," warns the [Gradle User Guide][4]. All three changes come from > conference talks by members of the Gradle team, available as [PDF slides][5] > or on YouTube in the following two videos: > > * [Cédric Champeau at Devoxx][6] in November 2019 > * [Louis Jacomet at Jfokus][7] in February 2020 > > "We all run in a crazy-unsafe environment, in a way," says Louis Jacomet at > the end of his talk. These three changes make it just a little less > crazy-unsafe for all of us building JavaFX, regardless of our system, > network, or country. > > [1]: https://bugs.openjdk.java.net/browse/JDK-8262236 > [2]: https://bugs.openjdk.java.net/browse/JDK-8263204 > [3]: https://bugs.openjdk.java.net/browse/JDK-8264010 > > [4]: https://docs.gradle.org/current/userguide/dependency_verification.html > [5]: > https://www.jfokus.se/jfokus20-preso/Protecting-your-organization-against-attacks-via-the-build-system.pdf > [6]: https://youtu.be/GWGNp3a3hpk > [7]: https://youtu.be/bwiafNatsf0
John Neffenger has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains ten additional commits since the last revision: - Add more details to the instructions in the README Add more details to the file 'gradle/README.txt' on how to create and update the dependency verification file for Linux, macOS, Windows, and the internal Oracle builds. - Remove older unused Oracle internal dependencies - Add two more Oracle internal dependencies - Merge branch 'master' into dependency-verification - Add dependencies for internal builds at Oracle - Add dependencies for media and WebKit libraries - Merge branch 'master' into dependency-verification - Add a README file and update 'UPDATING-lucene.txt' - 8264010: Add Gradle dependency verification ------------- Changes: - all: https://git.openjdk.java.net/jfx/pull/437/files - new: https://git.openjdk.java.net/jfx/pull/437/files/b0435b29..75fa032e Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jfx&pr=437&range=04 - incr: https://webrevs.openjdk.java.net/?repo=jfx&pr=437&range=03-04 Stats: 3879 lines in 71 files changed: 3202 ins; 428 del; 249 mod Patch: https://git.openjdk.java.net/jfx/pull/437.diff Fetch: git fetch https://git.openjdk.java.net/jfx pull/437/head:pull/437 PR: https://git.openjdk.java.net/jfx/pull/437
