Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
8264010: Add Gradle dependency verification 
Co-authored-by: Kevin Rushforth <kcr@openjdk.org>
Reviewed-by: kcr, jvos
  • Loading branch information
@jgneff @kevinrushforth
jgneff and kevinrushforth committed May 3, 2021
1 parent 7ec132c commit a9f6035
Show file tree
Hide file tree
Showing 3 changed files with 321 additions and 12 deletions.
38 changes: 26 additions & 12 deletions apps/samples/Ensemble8/UPDATING-lucene.txt
View file
@@ -1,28 +1,42 @@
To update to a new version of Lucene:

1. Change the version number in the following files:

build.gradle
apps/samples/.classpath
apps/samples/Ensemble8/build.gradle
apps/samples/Ensemble8/legal/lucene.md
apps/samples/Ensemble8/nbproject/project.properties
build.gradle

2. Update the Gradle dependency verification file
(gradle/verification-metadata.xml):

$ gradle --write-verification-metadata sha256 help

2. Do a clean build of apps:
Edit the file to remove the old Lucene dependencies and run the
command again to test your changes. For alternative ways to update
the file, see "Cleaning up the verification file" on the page:

gradle clean
gradle sdk apps
Verifying dependencies - Gradle User Guide
https://docs.gradle.org/current/userguide/dependency_verification.html

NOTE: if upgrading to a new major version there are usually compilation or runtime errors that need to be fixed.
3. Do a clean build of apps:

$ gradle clean
$ gradle sdk apps

3. Regenerate the index files. This step can be skipped if only the "bugfix" number (the third digit) of the release changes:
NOTE: If upgrading to a new major version, there are usually
compilation or runtime errors that need to be fixed.

$ cd apps/samples/Ensemble8
$ rm -rf src/generated/resources/ensemble/search/index
$ ant -Dplatforms.JDK_1.9.home=$JAVA_HOME clean ensemble-generate-search-index jar
$ rm src/generated/resources/ensemble/search/index/write.lock
$ git add --all src/generated/resources/ensemble/search/index
4. Regenerate the index files. This step can be skipped if only the
"bugfix" number (the third digit) of the release changes:

$ cd apps/samples/Ensemble8
$ rm -r src/generated/resources/ensemble/search/index
$ ant -Dplatforms.JDK_1.9.home=$JAVA_HOME \
clean ensemble-generate-search-index jar
$ rm src/generated/resources/ensemble/search/index/write.lock
$ git add --all src/generated/resources/ensemble/search/index

4. Test it by running Ensemble and entering text into the search box (upper right)
5. Test it by running Ensemble and entering text into the search box
(upper right).
52 changes: 52 additions & 0 deletions gradle/README.txt
View file
@@ -0,0 +1,52 @@
For more information on the Gradle dependency verification file
(verification-metadata.xml), see the following page:

Verifying dependencies - Gradle User Guide
https://docs.gradle.org/current/userguide/dependency_verification.html

Recreate the dependency verification file as follows:

1. Remove the existing file on Linux.

$ rm gradle/verification-metadata.xml

2. Run the following command on Linux.

$ gradle -PCOMPILE_WEBKIT=true -PBUILD_LIBAV_STUBS=true \
--write-verification-metadata sha256 help

3. Copy the file on Linux to macOS and run the command again to pick up
the 'org.eclipse.swt.cocoa.macosx.x86_64' library.

4. Copy the file on macOS to Windows and run the command again to pick
up the 'org.eclipse.swt.win32.win32.x86_64' library. Convert the
newline format of the file back to single-character line feeds.

$ dos2unix gradle/verification-metadata.xml
dos2unix: converting file gradle/verification-metadata.xml to Unix format...

$ file gradle/verification-metadata.xml
gradle/verification-metadata.xml: XML 1.0 document, ASCII text

5. Use the file generated on Linux, macOS, and Windows in the Oracle
builds to pick up the internal tools and development kits in the
'javafx' component group.

6. Commit the final version of the file to the repository.

These commands will cause Gradle to compute the requested checksums
directly from the newly downloaded artifacts and add them to the file.

Optionally verify that the new checksums added to the file are correct.
The User Guide states, "However, if a dependency is compromised in
a repository, it's likely its checksum will be too, so it's a good
practice to get the checksum from a different place, usually the
website of the library itself." Even without this extra verification,
having the checksums in the default build allows for a distributed
consensus on their correct values and will report any discrepancies.

When upgrading an external dependency to a newer version, update the
dependency verification file in a similar manner. Edit the file to
remove the older dependencies no longer in use and run the commands
again to test your changes. For alternative ways to update the file,
see "Cleaning up the verification file" at the link above.
243 changes: 243 additions & 0 deletions gradle/verification-metadata.xml
View file
@@ -0,0 +1,243 @@
<?xml version="1.0" encoding="UTF-8"?>
<verification-metadata xmlns="https://schema.gradle.org/dependency-verification" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://schema.gradle.org/dependency-verification https://schema.gradle.org/dependency-verification/dependency-verification-1.0.xsd">
<configuration>
<verify-metadata>true</verify-metadata>
<verify-signatures>false</verify-signatures>
</configuration>
<components>
<component group="" name="ffmpeg-3.3.3" version="">
<artifact name="ffmpeg-3.3.3-.tar.gz">
<sha256 value="66000646f487496bc33cf0ab72ca1cd4c8bd52f295c45428ed69735925a2bf3c" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="" name="ffmpeg-4.0.2" version="">
<artifact name="ffmpeg-4.0.2-.tar.gz">
<sha256 value="a56ef203c14ffab56b97690a1005522cfa0dc2c42c3c40c33c0bec4875b706eb" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="" name="icu4c-68.2-data-bin-l" version="">
<artifact name="icu4c-68.2-data-bin-l-.zip">
<sha256 value="89e4022c14cdaec92e7fc8f7214412dd02c8010ccba26fcee7c9ae30fdfadcbc" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="" name="libav-11.4" version="">
<artifact name="libav-11.4-.tar.gz">
<sha256 value="ce416632d4b62fbd1a667c4cbbd484eb5b5f058e15c5900fbec175d8b6865047" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="" name="libav-12.1" version="">
<artifact name="libav-12.1-.tar.gz">
<sha256 value="f08d48bfd26097402d61f831e77effd53d0838fdeccb02ea85ec3c5d2a4527e1" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="" name="libav-9.14" version="">
<artifact name="libav-9.14-.tar.gz">
<sha256 value="630203127f06b57b1156d5dd53b9c49daf33fab9157903aaac65a26bef6accbc" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="" name="org.eclipse.swt.cocoa.macosx.x86_64_3.105.3.v20170228-0512" version="">
<artifact name="org.eclipse.swt.cocoa.macosx.x86_64_3.105.3.v20170228-0512-.jar">
<sha256 value="ff48e1c05fd5e3701b53fc9ac59a2745d61daf1484d9aa24dc2f79a74e381cf8" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="" name="org.eclipse.swt.gtk.linux.x86_64_3.105.3.v20170228-0512" version="">
<artifact name="org.eclipse.swt.gtk.linux.x86_64_3.105.3.v20170228-0512-.jar">
<sha256 value="a963351d5f7b82b890c4994e158d80555dae38b00af3b8d73f3875c21ff398bc" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="" name="org.eclipse.swt.win32.win32.x86_64_3.105.3.v20170228-0512" version="">
<artifact name="org.eclipse.swt.win32.win32.x86_64_3.105.3.v20170228-0512-.jar">
<sha256 value="2be43498f3f91613ff865449ea8495d8e16b714f1f0564c276f56aa9e17ca2ea" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="com.ibm.icu" name="icu4j" version="61.1">
<artifact name="icu4j-61.1.jar">
<sha256 value="55c98eb1838b2a4bb9a07dc36bd378532d64d0cdcb7ceee914236866a7de4464" origin="Generated by Gradle"/>
</artifact>
<artifact name="icu4j-61.1.pom">
<sha256 value="13b87a4079ceb05515b19ac7a15203947075601d49423f719358a4980098056b" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="javafx" name="cmake-3.13.3-Darwin" version="x86_64.tar">
<artifact name="cmake-3.13.3-Darwin-x86_64.tar.gz">
<sha256 value="cee923ec7a88350f78dac06f0dfae5dec3c9cef331686acfd36ef7dd5aea84db" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="javafx" name="cmake-3.13.3-Linux" version="x86_64.tar">
<artifact name="cmake-3.13.3-Linux-x86_64.tar.gz">
<sha256 value="78227de38d574d4d19093399fd4b40a4fb0a76cbfc4249783a969652ce515270" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="javafx" name="cmake-3.13.3-win32" version="x86">
<artifact name="cmake-3.13.3-win32-x86.zip">
<sha256 value="1382a32494b49d0554268a6d4c321865ace7e66c9189323c4f43630f067cf135" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="javafx" name="devkit-linux_x64-gcc10.3.0" version="OL6.4+1.0.tar">
<artifact name="devkit-linux_x64-gcc10.3.0-OL6.4+1.0.tar.gz">
<sha256 value="7bef73db375a81dd8daf8a63ee4a1f8f06dd3a063b85115e84a0dd52da22dca9" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="javafx" name="devkit-macosx" version="Xcode12.4+1.0.tar">
<artifact name="devkit-macosx-Xcode12.4+1.0.tar.gz">
<sha256 value="bbaef3679622587fc7fd927327ccce8fbf813274a1eab868a066b3bcc50d64e4" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="javafx" name="devkit-windows_x64-VS2019" version="16.9.3+1.0.tar">
<artifact name="devkit-windows_x64-VS2019-16.9.3+1.0.tar.gz">
<sha256 value="270db89d7c58bc05c3a4e0a0057711f9d0aa228879c9ff38bb7a12cc1ee2c2cf" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="javafx" name="jfx-devkit-gcc" version="patch+1.1.tar">
<artifact name="jfx-devkit-gcc-patch+1.1.tar.gz">
<sha256 value="dbcbb0655093e1a1ad9fed4bc58bcfe0b5c9c204424ca58ecc3b87cdf8ee3e77" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="javafx" name="ninja" version="win">
<artifact name="ninja-win.zip">
<sha256 value="c80313e6c26c0b9e0c241504718e2d8bbc2798b73429933adf03fdc6d84f0e70" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="junit" name="junit" version="4.8.2">
<artifact name="junit-4.8.2.jar">
<sha256 value="a2aa2c3bb2b72da76c3e6a71531f1eefdc350494819baf2b1d80d7146e020f9e" origin="Generated by Gradle"/>
</artifact>
<artifact name="junit-4.8.2.pom">
<sha256 value="df39d34d1f5830b2d8a92790c66b5798358b0b3e01452dc85b3722a881ad923e" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="net.java" name="jvnet-parent" version="3">
<artifact name="jvnet-parent-3.pom">
<sha256 value="30f5789efa39ddbf96095aada3fc1260c4561faf2f714686717cb2dc5049475a" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.abego.treelayout" name="org.abego.treelayout.core" version="1.0.3">
<artifact name="org.abego.treelayout.core-1.0.3.jar">
<sha256 value="fa5e31395c39c2e7d46aca0f81f72060931607b2fa41bd36038eb2cb6fb93326" origin="Generated by Gradle"/>
</artifact>
<artifact name="org.abego.treelayout.core-1.0.3.pom">
<sha256 value="a3b2b223794370355e792433af012fc993667c0331be2bacad84dbc09ace4a0c" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.antlr" name="ST4" version="4.1">
<artifact name="ST4-4.1.jar">
<sha256 value="8b1ccaed9edc55cd255d9c19c4d8da4756d9b6fcb435671292b43470b16d75d8" origin="Generated by Gradle"/>
</artifact>
<artifact name="ST4-4.1.pom">
<sha256 value="733e6bd97ca34cc6df93a4243e511e5673cb9b88c74b18844e042a45d516987c" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.antlr" name="antlr-master" version="3.5.2">
<artifact name="antlr-master-3.5.2.pom">
<sha256 value="42d91a531ea5100eb09b541aa002c3b908e8f282bd73b6e2f52f371ef1331bd6" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.antlr" name="antlr-runtime" version="3.5.2">
<artifact name="antlr-runtime-3.5.2.jar">
<sha256 value="ce3fc8ecb10f39e9a3cddcbb2ce350d272d9cd3d0b1e18e6fe73c3b9389c8734" origin="Generated by Gradle"/>
</artifact>
<artifact name="antlr-runtime-3.5.2.pom">
<sha256 value="46a9c2200bb8b12bd7124aa7a5097ff49099908329c851a04cb2051420aa7f25" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.antlr" name="antlr4" version="4.7.2">
<artifact name="antlr4-4.7.2-complete.jar">
<sha256 value="6852386d7975eff29171dae002cc223251510d35f291ae277948f381a7b380b4" origin="Generated by Gradle"/>
</artifact>
<artifact name="antlr4-4.7.2.pom">
<sha256 value="cf9eb36940fac44881038c1be3f2c58e06e68d1abfbfd4a68d34bbd8bac55771" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.antlr" name="antlr4-master" version="4.7.2">
<artifact name="antlr4-master-4.7.2.pom">
<sha256 value="ba99cb25d2390f38680c7502842a0ee0959d1e6403e013ccff698fd5856eead1" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.antlr" name="antlr4-runtime" version="4.7.2">
<artifact name="antlr4-runtime-4.7.2.jar">
<sha256 value="4c518b87d4bdff8b44cd8cbc1af816e944b62a3fe5b80b781501cf1f4759bbc4" origin="Generated by Gradle"/>
</artifact>
<artifact name="antlr4-runtime-4.7.2.pom">
<sha256 value="dc09cba98c25d3c06e4aec516885d4c3af03062ba55f4fe6283fc9cf176a60fb" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache" name="apache" version="13">
<artifact name="apache-13.pom">
<sha256 value="ff513db0361fd41237bef4784968bc15aae478d4ec0a9496f811072ccaf3841d" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache.lucene" name="lucene-core" version="7.7.3">
<artifact name="lucene-core-7.7.3.jar">
<sha256 value="8eb03335c1a3c6a8b188df74d761baa83569953582ab440b534c88449ea8e0de" origin="Generated by Gradle"/>
</artifact>
<artifact name="lucene-core-7.7.3.pom">
<sha256 value="82f8a52281c6c8ba7974acbaac44b32d76e260082f3f4bbe165c0f6e4b89142a" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache.lucene" name="lucene-grouping" version="7.7.3">
<artifact name="lucene-grouping-7.7.3.jar">
<sha256 value="2f5bcd63b25743d30c313986224d107f75c52938714954253510c57d3f67beb8" origin="Generated by Gradle"/>
</artifact>
<artifact name="lucene-grouping-7.7.3.pom">
<sha256 value="1f04ad93e2044d408fd925eee0aea4b4a1ef8c07577b42667bb5360602822265" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache.lucene" name="lucene-parent" version="7.7.3">
<artifact name="lucene-parent-7.7.3.pom">
<sha256 value="e8fadd53d5f004c40ddd235d438648e72c725599fee1543e5624d5fb50107305" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache.lucene" name="lucene-queries" version="7.7.3">
<artifact name="lucene-queries-7.7.3.jar">
<sha256 value="3cb592db0a6e9569c6accbdb88a9ad7b1da7428dbca7921ad1c5a5865d5b4226" origin="Generated by Gradle"/>
</artifact>
<artifact name="lucene-queries-7.7.3.pom">
<sha256 value="ae406c8a2bb0d764a594444279f4628a1976bd0941e79d42ce64e0987c589c50" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache.lucene" name="lucene-queryparser" version="7.7.3">
<artifact name="lucene-queryparser-7.7.3.jar">
<sha256 value="1775c9fe8edd9686d3b7a647778fa44eaa96f1cc0c499315087133e1a9839e84" origin="Generated by Gradle"/>
</artifact>
<artifact name="lucene-queryparser-7.7.3.pom">
<sha256 value="cf69259215ac7230b9fad60a5c89ca0e9f5b9baaccedd146958ffbe90f4eb0d2" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache.lucene" name="lucene-sandbox" version="7.7.3">
<artifact name="lucene-sandbox-7.7.3.jar">
<sha256 value="55f1b7f09dae2b0cad321c34d15c3cfc59a0211be233f629d046c42bf17012b7" origin="Generated by Gradle"/>
</artifact>
<artifact name="lucene-sandbox-7.7.3.pom">
<sha256 value="d6f6ddc6ccf5c6fca6447d470f5049e1637ac637bf1db5ae0d5f1668fdf81222" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache.lucene" name="lucene-solr-grandparent" version="7.7.3">
<artifact name="lucene-solr-grandparent-7.7.3.pom">
<sha256 value="3a2837580ca76af36af7dfe2dc1d334fc6ff5f26d10f24899db7770ad7cfd9fe" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.glassfish" name="javax.json" version="1.0.4">
<artifact name="javax.json-1.0.4.jar">
<sha256 value="0e1dec40a1ede965941251eda968aeee052cc4f50378bc316cc48e8159bdbeb4" origin="Generated by Gradle"/>
</artifact>
<artifact name="javax.json-1.0.4.pom">
<sha256 value="6baf8383ffa98b66ea96cd5bfc1ec7f2d79463bb98ac98052964b121c2212d54" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.glassfish" name="json" version="1.0.4">
<artifact name="json-1.0.4.pom">
<sha256 value="6d7c68423115f921718d944f859924b4c685217ec03a49f70455a8b2caa972e6" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.sonatype.oss" name="oss-parent" version="7">
<artifact name="oss-parent-7.pom">
<sha256 value="b51f8867c92b6a722499557fc3a1fdea77bdf9ef574722fe90ce436a29559454" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.sonatype.oss" name="oss-parent" version="9">
<artifact name="oss-parent-9.pom">
<sha256 value="fb40265f982548212ff82e362e59732b2187ec6f0d80182885c14ef1f982827a" origin="Generated by Gradle"/>
</artifact>
</component>
</components>
</verification-metadata>

1 comment on commit a9f6035

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review

Issues

Please sign in to comment.