This page describes the subset of my contributions which enhance the security of open-source projects used in software development.
In October 2020, I noticed that Ubuntu and other Linux distributions were not keeping pace with the rapid release schedules of many software development tools. To use the latest releases, I started downloading and installing the tools from their vendor’s or project’s website instead of getting them solely from the Ubuntu package repositories that provide my operating system.
In December 2020, I learned of the SolarWinds attack and became increasingly worried about the software on my workstation. I was particularly concerned that the developer tools I had installed were adding hundreds of trusted sources to my system through their build-time dependencies and run-time plugins. The current releases of the tools were not available from Ubuntu, and I was unwilling to trust the packages built elsewhere.
To solve this dilemma, I started working with the upstream projects to close the gaps in their security, first by adding dependency verification and then by enabling reproducible builds. I also started publishing my own packages of the tools in an effort to create the most open, transparent, and verifiable builds available. There is, however, still some remaining work to be done.
OpenJFX is the open-source project that develops JavaFX. It uses a complex build system based on Gradle to build JavaFX and its native libraries on Linux, macOS, and Windows. My first goal was to add the three security measures recommended by the Gradle team for any project using Gradle:
|OpenJFX||JDK-8262236||2021-02-23||#411||2021-02-23||Configure Gradle checksum verification|
|OpenJFX||JDK-8263204||2021-03-08||#419||2021-03-09||Add Gradle Wrapper Validation Action|
|OpenJFX||JDK-8264010||2021-03-22||#437||2021-05-03||Add Gradle dependency verification|
These changes reduce the risk of compromising the build system or including malware in JavaFX.
In March 2021, I got involved in the Reproducible Builds project when I saw that Bernhard Wiedemann’s initial pull request for OpenJFX had stalled. I created a new pull request, shown in the table below, that was much broader in scope and sought to create fully reproducible builds of all JavaFX artifacts on all three platforms: Linux, macOS, and Windows.
More recently, I found and fixed the last remaining bug blocking fully reproducible builds of the entire Java Development Kit. The bug was especially interesting because, although its cause was unrelated to the goal of reproducible builds, it would have been practically impossible to find and fix without that goal.
|OpenJFX||JDK-8264449||2021-03-30||#446||Pending||Enable reproducible builds with SOURCE_DATE_EPOCH|
|OpenJDK||JDK-8292892||2022-08-24||#10070||2022-09-21||Javadoc index descriptions are not deterministic|
These changes allow myself and others to publish reproducible builds of the JDK and JavaFX.
I decided early on to publish my own builds of the tools I use in software development. By building the tools on the same Launchpad build farm that builds the Ubuntu operating system, I could once again have a single trusted source for all of the software on my workstation.
Currently, the easiest way to build software on Launchpad, especially for Ubuntu, is with a Snap package. Snap packages have the additional security benefit of being able to run in complete isolation with limited access to the system. So I published Snap packages for all current releases and early-access builds of the JDK and JavaFX, with the goal of creating the most open, transparent, and verifiable builds available:
|OpenJFX||openjfx||openjfx||2020-11-23||Current JavaFX release and early-access builds|
|OpenJDK||openjdk||openjdk||2020-12-02||Current JDK release and early-access builds|
These packages allow myself and others to install transparent builds of latest JDK and JavaFX releases.
Although the bulk of work related to reproducible builds is complete for the OpenJDK and OpenJFX projects, the following work items remain:
- OpenJFX build paths
- The absolute path of the project directory ends up being included in the JavaFX Controls module
javafx.controls.jar, breaking reproducible builds for systems using different build paths.
- OpenJFX macOS libraries
- There are differences in some JavaFX native shared libraries between any two builds on macOS, such as
- Verified reproducible builds
- Reproducible builds are verifiable, but I would like mine to be verified. I could verify the builds myself by running them locally and comparing those packages with the ones built on Launchpad.