[ https://issues.apache.org/jira/browse/LUCENE-8807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16844938#comment-16844938 ]
ASF subversion and git services commented on LUCENE-8807: --------------------------------------------------------- Commit 0654377fec274c33bedd9ebaa7cf5ebe3c6005b3 in lucene-solr's branch refs/heads/branch_7_7 from Uwe Schindler [ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=0654377 ] LUCENE-8807: Change all download URLs in build files to HTTPS # Conflicts: # lucene/common-build.xml > Change all download URLs in build files to HTTPS > ------------------------------------------------ > > Key: LUCENE-8807 > URL: https://issues.apache.org/jira/browse/LUCENE-8807 > Project: Lucene - Core > Issue Type: Task > Components: general/build > Affects Versions: 8.1 > Reporter: Uwe Schindler > Assignee: Uwe Schindler > Priority: Blocker > Fix For: 7.7.2, master (9.0), 8.2, 8.1.1 > > Attachments: LUCENE-8807.patch, LUCENE-8807.patch > > > At least for Lucene this is not a security issue, because we have checksums > for all downloaded JAR dependencies: > {quote} > [...] Projects like Lucene do checksum whitelists of > all their build dependencies, and you may wish to consider that as a > protection against threats beyond just MITM [...] > {quote} > This patch fixes the URLs for most files referenced in {{\*build.xml}} and > {{\*ivy\*.xml}} to HTTPS. There are a few data files in benchmark which use > HTTP only, but that's uncritical and I added a TODO. Some were broken already. > I removed the "uk.maven.org" workarounds for Maven, as this does not work > with HTTPS. By keeping those inside, we break the whole chain of trust, as > any non-working HTTPS would fallback to the insecure uk.maven.org Maven > mirror. > As the great chinese firewall is changing all the time, we should just wait > for somebody complaining. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org