I’m not trying to give you a hard time, and it’s true that to be realistic we do have to trust something at some point. Whether it’s a low-level compiler binary, the kernel, or the machine hardware itself most of us do not control the system all the way down. However, I was very surprised to see a high level build tool like gradle require bootstrapping from binaries. I appreciate that dogfooding is a good way to make sure gradle is fit for purpose, but I’d just like to see some (probably more complex) way of building it using other tools.
The sort of attack that (in general) can be perpetuated by not building directly from source is exemplified by Ken Thompson’s C bootstrap compiler / login backdoor, described in his paper “Reflections on Trusting Trust”: http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
I do have reservations about using the proprietary javac provided by Oracle/Sun. I prefer to use OpenJDK whenever possible, but sometimes code requires the Oracle JDK and we have no choice but to use that. We install such packages into a separate namespace for untrusted/blackbox software.
If it isn’t possible to compile gradle without relying on an opaque binary provided by a third-party, I guess the alternative for us will be to install gradle and everything we build using gradle into the “untrusted” area.
As far as I know, gradle is the only major java build tool for which there is apparently no supported path to compiling it without involving a third-party binary.
ant could be built simply with javac and a shell script.
ivy can be built with ant.
maven (1.x) could be built with ant, and maven 1.x used to compile later versions of maven.
I’d be happy with a circuitous route that involves compiling one or more earlier versions of gradle in order to bootstrap future versions. It seems clear that someone did compile some version of gradle without gradle at some point - if there is any information on how that was done (perhaps someone has a shell script that can build a very early version), along with which version(s) of gradle each newer version can be built with, I’d be happy to give it a try and attempt to document some sort of “pure” bootstrapping process.