8262236: Configure Gradle checksum verification #411
Conversation
|
|
|
I presume that just adding the checksum will enable the validation? This sounds like a very good idea. I'll review / test it. |
Feel free to file a bug and create a PR, if you are interested. I agree that this sounds like a good idea. |
It does in my tests. See the section "Steps to Reproduce" in the bug report for details. It would be nice to see a message that the distribution was validated successfully, but I can't find any command option to make the Gradle Wrapper do that. |
Isn't this configured directly through GitHub rather than with a pull request? Once that GitHub Action is added, I was thinking of following up with a pull request that upgrades the Gradle Wrapper to version 6.3. The older wrapper is probably fine, but I think we should keep the Wrapper at the same version as the distribution it downloads. For example, when I followed the instructions for Verifying the integrity of the Gradle Wrapper JAR in the OpenJFX repository, it failed. Only after a brief panic did I reverse the check and discovered that we're still using the older Gradle 4.8 wrapper. |
|
@jgneff This change now passes all automated pre-integration checks. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 1 new commit pushed to the
Please see this link for an up-to-date comparison between the source branch of this pull request and the As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@kevinrushforth) but any other Committer may sponsor as well.
|
My reading of it here is that we would add this action as a step to our workflow script, which is in .github/workflows/submit.yml.
As you noticed, I generally haven't done that when updating gradle versions, but I can see the value in doing so. Since the gradle wrapper is a third-party file that needs to be checked into the repo, someone from Oracle needs to integrate it. As long as it's not causing any problems, I think I'd rather wait until the next time this comes up. |
Thanks, Kevin. I'll look into it and follow up with a bug report and pull request. Maybe I'll even add a commit with a bogus Gradle Wrapper to the pull request for testing, which we can then remove.
That's fine by me. |
|
/integrate |
|
/sponsor |
openjdk
bot
added
integrated
|
@kevinrushforth @jgneff Since your change was applied there has been 1 commit pushed to the
Your commit was automatically rebased without conflicts. Pushed as commit dc342d3. |
The recent supply-chain attacks in the news are making me nervous!😟
The Gradle 6.3 distribution is the only software on my OpenJFX build system that doesn't come from an Ubuntu package or a GitHub repository. Ubuntu uses digital signatures to authenticate each package, and Git uses a secure hash algorithm to ensure the integrity of each file, but there is no such check of the Gradle distribution before running it. During my OpenJFX builds, Gradle is downloaded from a Cloudflare server through an HTTPS proxy server, and there's no guarantee that it's the same file as the one published by the Gradle developers.
This pull requests adds the additional step of verifying the Gradle distribution on the build system before extracting its archive and running it.
We might also consider adding the Gradle Wrapper Validation GitHub Action to the OpenJFX repository.
Progress
Issue
Reviewers
Download
$ git fetch https://git.openjdk.java.net/jfx pull/411/head:pull/411$ git checkout pull/411