Hey, Am Montag, den 30.10.2017, 20:02 +0100 schrieb Antonio Vieiro: > > > On the other hand during review of HTML/Java API I had to remove download > > > from google Maven repository - it was seen as untrusted. I assume the same > > > will be said about the eclipse repository. > > > > I don't follow that argument. The trust basis is the SHA1 hash that is > > checked at download time. At this point in time I consider SHA1 as a > > save basis and thus I don't care if the binary comes from maven centra, > > the eclipse repository or whatever. > > Untrusted because missing https certificates, maybe? > > The DownloadBinaries.java ant task currently uses plain http, so no worries > about https certificates (but we could use a custom SSLSocketFactory with > some certs if required). >
Please see the DownloadBinaries#doDownload method. The download is done and after that the file hash is compared with the reference from the binaries-list. So you'd need to create a SHA1 collision to inject code when downloading. While theoretically possible, I'd currently not think about the problem. We should think about making the hashing extendable, so that we can later switch to saver hashing algorithms. Greetings Matthias
