Uwe Schindler created LUCENE-8807: ------------------------------------- Summary: Change all download URLs in build files to HTTPS Key: LUCENE-8807 URL: https://issues.apache.org/jira/browse/LUCENE-8807 Project: Lucene - Core Issue Type: Task Components: general/build Affects Versions: 8.1 Reporter: Uwe Schindler Assignee: Uwe Schindler Fix For: master (9.0), 8.2, 8.1.1
At least for Lucene this is not a security issue, because we have checksums for all downloaded JAR dependencies, but ASF asked all projects to ensure that download URLs for dependencies are using HTTPS: {quote} [...] Projects like Lucene do checksum whitelists of all their build dependencies, and you may wish to consider that as a protection against threats beyond just MITM [...] {quote} This patch fixes the URLs for most files referenced in {{*build.xml}} and {{*ivy*.xml}} to HTTPS. There are a few data files in benchmark which use HTTP only, but that's uncritical and I added a TODO. Some were broken already. I removed the "uk.maven.org" workarounds for Maven, as this does not work with HTTPS. By keeping those inside, we break the whole chain of trust, as any non-working HTTPS would fallback to the insecure uk.maven.org Maven mirror. As the great chinese firewall is changing all the time, we should just wait for somebody complaining. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org