[
https://issues.apache.org/jira/browse/LUCENE-3945?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13245603#comment-13245603
]
Hoss Man commented on LUCENE-3945:
----------------------------------
#1: I know that Ivy attempts MD5 & SHA1 verification by default -- but it does
that verification against checksum files located on the server, so it only
offers protection against corruption in transit, not against files deliberately
modified on the server.
#2 i realize that the maintainers of maven repos say "all files are immutable"
and that this potential risk of malicious or accidental file changes exists for
all maven users -- but that's the choise of all maven users to accept that as a
way of life. I'm raising this issue only to point out a discrepancy between
the "confidence" we use to be able to give people who download src releases, vs
what we have currently with ivy.
> we should include checksums for every jar ivy fetches in svn & src releases
> to verify the jars are the ones we expect
> ---------------------------------------------------------------------------------------------------------------------
>
> Key: LUCENE-3945
> URL: https://issues.apache.org/jira/browse/LUCENE-3945
> Project: Lucene - Java
> Issue Type: Task
> Reporter: Hoss Man
> Fix For: 3.6, 4.0
>
>
> Conversation with rmuir last night got me thinking about the fact that one
> thing we lose by using ivy is confidence that every user of a release is
> compiling against (and likely using at run time) the same dependencies as
> every other user.
> Up to 3.5, users of src and binary releases could be confident that the jars
> included in the release were the same jars the lucene devs vetted and tested
> against when voting on the release candidate, but with ivy there is now the
> possibility that after the source release is published, the owner of a domain
> where these dependencies are hosted might change the jars in some way w/o
> anyone knowing. Likewise: we as developers could commit an ivy.xml file
> pointing to a specific URL which we then use for and test for months, and
> just prior to a release, the contents of the remote URL could change such
> that a JAR included in the binary artifacts might not match the ones we've
> vetted and tested leading up to that RC.
> So i propose that we include checksum files in svn and in our source releases
> that can be used by users to verify that the jars they get from ivy match the
> jars we tested against.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
