Copilot commented on code in PR #60425: URL: https://github.com/apache/doris/pull/60425#discussion_r2752541054
########## thirdparty/vars.sh: ########## @@ -98,10 +98,10 @@ GTEST_SOURCE=googletest-release-1.12.1 GTEST_MD5SUM="e82199374acdfda3f425331028eb4e2a" # snappy -SNAPPY_DOWNLOAD="https://github.com/google/snappy/archive/1.1.8.tar.gz"; -SNAPPY_NAME=snappy-1.1.8.tar.gz -SNAPPY_SOURCE=snappy-1.1.8 -SNAPPY_MD5SUM="70e48cba7fecf289153d009791c9977f" +SNAPPY_DOWNLOAD="https://github.com/google/snappy/archive/1.1.10.tar.gz"; +SNAPPY_NAME=snappy-1.1.10.tar.gz +SNAPPY_SOURCE=snappy-1.1.10 +SNAPPY_MD5SUM="70153395ebe6d72febe2cf2e40026a44" Review Comment: `SNAPPY_MD5SUM` uses MD5 to verify the integrity of the downloaded Snappy source archive, relying on a cryptographically broken hash algorithm. An attacker who can influence the downloaded archive could exploit MD5 collision weaknesses to craft a malicious tarball that still matches this checksum, resulting in compromised build artifacts. Prefer a stronger hash function such as SHA-256 and update both the stored checksum and verification logic to use it for third-party downloads. ```suggestion # Use SHA-256 for integrity verification of the Snappy source archive. # Compute the correct value with: sha256sum snappy-1.1.10.tar.gz SNAPPY_SHA256SUM="" # Deprecated: do not use MD5 for integrity checks. SNAPPY_MD5SUM="" ``` ########## thirdparty/CHANGELOG.md: ########## @@ -2,6 +2,10 @@ This file contains version of the third-party dependency libraries in the build-env image. The docker build-env image is apache/doris, and the tag is `build-env-${version}` +## 20260202 + +- Modified: snappy 1.1.8 -> 1.1.10 + ## 20151222 - Added: timsort (cpp-TimSort 3.x.y) Review Comment: The changelog entries appear intended to be in reverse chronological order (e.g., 20251127 -> 20251031 -> …), but the existing `## 20151222` section now sits between 20260202 and 20251127. To keep the history readable, please move the 20151222 section to the bottom (or otherwise restore consistent chronological ordering). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
