Uwe Schindler created LUCENE-8807:
-------------------------------------
Summary: Change all download URLs in build files to HTTPS
Key: LUCENE-8807
URL: https://issues.apache.org/jira/browse/LUCENE-8807
Project: Lucene - Core
Issue Type: Task
Components: general/build
Affects Versions: 8.1
Reporter: Uwe Schindler
Assignee: Uwe Schindler
Fix For: master (9.0), 8.2, 8.1.1
At least for Lucene this is not a security issue, because we have checksums for
all downloaded JAR dependencies, but ASF asked all projects to ensure that
download URLs for dependencies are using HTTPS:
{quote}
[...] Projects like Lucene do checksum whitelists of
all their build dependencies, and you may wish to consider that as a
protection against threats beyond just MITM [...]
{quote}
This patch fixes the URLs for most files referenced in {{*build.xml}} and
{{*ivy*.xml}} to HTTPS. There are a few data files in benchmark which use HTTP
only, but that's uncritical and I added a TODO. Some were broken already.
I removed the "uk.maven.org" workarounds for Maven, as this does not work with
HTTPS. By keeping those inside, we break the whole chain of trust, as any
non-working HTTPS would fallback to the insecure uk.maven.org Maven mirror.
As the great chinese firewall is changing all the time, we should just wait for
somebody complaining.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
