Copilot commented on code in PR #60421: URL: https://github.com/apache/doris/pull/60421#discussion_r2752418414
########## thirdparty/vars.sh: ########## @@ -458,10 +458,10 @@ SSE2NEON_SOURCE=sse2neon-1.6.0 SSE2NEON_MD5SUM="dce28eb6a78f45bf98740d5fad73febb" # xxhash -XXHASH_DOWNLOAD="https://github.com/Cyan4973/xxHash/archive/refs/tags/v0.8.1.tar.gz"; -XXHASH_NAME=xxHash-0.8.1.tar.gz -XXHASH_SOURCE=xxHash-0.8.1 -XXHASH_MD5SUM="b67c587f5ff4894253da0095ba7ea393" +XXHASH_DOWNLOAD="https://github.com/Cyan4973/xxHash/archive/refs/tags/v0.8.3.tar.gz"; +XXHASH_NAME=xxHash-0.8.3.tar.gz +XXHASH_SOURCE=xxHash-0.8.3 +XXHASH_MD5SUM="599804eb9555e51c05f1b821f9212a07" Review Comment: The `XXHASH_MD5SUM` constant relies on the weak MD5 algorithm to verify the integrity of a third-party archive downloaded over the network, which makes the integrity check vulnerable to cryptographic attacks and weakens your supply-chain protection. An attacker who can replace the downloaded tarball and craft a file with a colliding MD5 hash could inject malicious code while still passing this check. Use a modern hash (for example, SHA-256) for download verification and update both the checksum generation and validation logic in `download-thirdparty.sh` to rely on the stronger digest. ```suggestion # SHA-256 checksum for ${XXHASH_NAME}. Compute with: sha256sum "${XXHASH_NAME}" XXHASH_SHA256SUM="REPLACE_WITH_ACTUAL_XXHASH_0_8_3_TAR_GZ_SHA256" ``` ########## thirdparty/CHANGELOG.md: ########## @@ -2,6 +2,10 @@ This file contains version of the third-party dependency libraries in the build-env image. The docker build-env image is apache/doris, and the tag is `build-env-${version}` +## 20260202 + +- Modified: xxhash 0.8.1 -> 0.8.3 + Review Comment: The scope of this change goes far beyond upgrading xxhash: it introduces paimon-cpp integration (new thirdparty dependency, BE reader and filesystem bridge, FE session variables, and query options), which conflicts with the PR title/description that only mention an xxhash version bump. Please either narrow the code changes to match the described chore, or update the PR title and description to accurately reflect the new Paimon C++ reader and related behavior changes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
