[ https://issues.apache.org/jira/browse/ZOOKEEPER-2594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15521024#comment-15521024 ]
Olaf Flebbe commented on ZOOKEEPER-2594: ---------------------------------------- I couldn't trigger ant to download ivy via contrib, but anyway, I included your requested change. There is a unsafe code download left, but I like to fix problems in other projects, first. The "eclipse" target downloads an ant-eclipse plugin from sourceforge. Sourceforge redirects the url to one of its mirrors via http:// and ant is blocking a redirect from TLS to http. Nice from security standpoint but not good for automation. {code} olaf@9dec01f17711:~/zookeeper$ ant eclipse Buildfile: /home/olaf/zookeeper/build.xml ant-eclipse-download: [get] Getting: https://downloads.sourceforge.net/project/ant-eclipse/ant-eclipse/1.0/ant-eclipse-1.0.bin.tar.bz2 [get] To: /home/olaf/zookeeper/src/java/ant-eclipse-1.0.bin.tar.bz2 [get] https://downloads.sourceforge.net/project/ant-eclipse/ant-eclipse/1.0/ant-eclipse-1.0.bin.tar.bz2 moved to http://netix.dl.sourceforge.net/project/ant-eclipse/ant-eclipse/1.0/ant-eclipse-1.0.bin.tar.bz2 BUILD FAILED /home/olaf/zookeeper/build.xml:1693: Redirection detected from https to http. Protocol switch unsafe, not allowed. Total time: 0 seconds {code} Please consider including the patch as is. (modulo backporting to branches). I will "port" it to Apache Bigtop as well. Thanks Olaf > Use TLS for downloading artifacts during build > ---------------------------------------------- > > Key: ZOOKEEPER-2594 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2594 > Project: ZooKeeper > Issue Type: Improvement > Components: build > Affects Versions: 3.4.9, 3.5.2 > Reporter: Olaf Flebbe > Assignee: Olaf Flebbe > Priority: Blocker > Labels: security > Fix For: 3.4.10, 3.5.3, 3.6.0 > > Attachments: 0001-ZOOKEEPER-2594-Use-TLS-for-downloading.patch, > 0001-ZOOKEEPER-2594-Use-TLS-for-downloading.patch, ZOOKEEPER-2594.patch, > compile.log > > > Zookeeper builds are downloading dependencies using the insecure http:// > protocol. > An outdated java.net repository can be removed now, since its content is now > on maven.org. > The https://repo2.maven.org cannot be used, since its certificate is invalid. > Use repo1.maven.org instead (IMHO this is intentional). > Appended you'll find a proposed patch (against git head) to fix these issues, > for a starter. -- This message was sent by Atlassian JIRA (v6.3.4#6332)