Patrick Hunt commented on ZOOKEEPER-2594:

Thanks Olaf, this is great. I verified manually myself by clearing the ant/m2 
caches - compiled fine.

One thing I did notice, that we have references in other locations, e.g.:

value="http://repo2.maven.org/maven2/org/apache/ivy/ivy"; />

we build our distribution via "ant clean tar" - which includes things like 

Olaf - would you be able to check the other build files as well and update this 
patch? I'd really like to address all the issues as part of this patch if at 
all possible and put this problem to bed.


> Use TLS for downloading artifacts during build
> ----------------------------------------------
>                 Key: ZOOKEEPER-2594
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2594
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: build
>    Affects Versions: 3.4.9, 3.5.2
>            Reporter: Olaf Flebbe
>            Assignee: Olaf Flebbe
>            Priority: Blocker
>              Labels: security
>             Fix For: 3.4.10, 3.5.3, 3.6.0
>         Attachments: 0001-ZOOKEEPER-2594-Use-TLS-for-downloading.patch, 
> ZOOKEEPER-2594.patch, compile.log
> Zookeeper builds are downloading dependencies using the insecure http:// 
> protocol. 
> An outdated java.net repository can be removed now, since its content is now 
> on maven.org.
> The https://repo2.maven.org cannot be used, since its certificate is invalid. 
> Use repo1.maven.org instead (IMHO this is intentional).
> Appended you'll find a proposed patch (against git head) to fix these issues, 
> for a starter.

This message was sent by Atlassian JIRA

Reply via email to