On 9 July 2014 21:57, Sumit Mohanty <[email protected]> wrote:
> Any idea on how we can share pre-created application packages? Is there an > Apache recommendation around it? > > the defacto ASF way would be to publish them to the maven central repository and let maven/ivy/... retrieve it. That handles replication and basic checksumming, but -would lead to massive ~/.m2/repository bloat -doesn't do real security, given the artifacts aren't signed and the MD5 checksum is fetched from the mirror server publishing the binaries. Serving malicious artifacts based on requester ID is an obvious attack. I think long term we do need a story here, but short term: just publish them alongside slider itself. Longer term? I'd like some kind of repository URLs + list of public keys you trust, slider could list available artifacts, download them to hdfs. This is of course what YUM and debian repositories do. If we do something like that, then we have to do it securely, which is why I don't think we should rush into it. You have to think about key propagation/revocation and the like. And before anyone says "just use HTTPS", know that this would stop you publishing from Amazon S3, Azure, etc unless you want to give anyone with an S3 or AVS blobstore full rights to publish what appear to be trusted artifacts: http://stackoverflow.com/questions/11201316/how-to-configure-ssl-for-amazon-s3-bucket -- CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
