[jira] [Commented] (ZOOKEEPER-2594) Use TLS for downloading artifacts during build

[Olaf Flebbe (JIRA)]

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15521024#comment-15521024
 ] 

Olaf Flebbe commented on ZOOKEEPER-2594:
----------------------------------------

I couldn't trigger ant to download ivy via contrib, but anyway, I included your 
requested change.

There is a unsafe code download left, but I like to fix problems in other 
projects, first. The "eclipse" target downloads an ant-eclipse plugin from 
sourceforge. Sourceforge redirects the url to one of its mirrors via http:// 
and ant is blocking a redirect from TLS to http. Nice from security standpoint 
but not good for automation. 
{code}
olaf@9dec01f17711:~/zookeeper$ ant eclipse
Buildfile: /home/olaf/zookeeper/build.xml

ant-eclipse-download:
      [get] Getting: 
https://downloads.sourceforge.net/project/ant-eclipse/ant-eclipse/1.0/ant-eclipse-1.0.bin.tar.bz2
      [get] To: /home/olaf/zookeeper/src/java/ant-eclipse-1.0.bin.tar.bz2
      [get] 
https://downloads.sourceforge.net/project/ant-eclipse/ant-eclipse/1.0/ant-eclipse-1.0.bin.tar.bz2
 moved to 
http://netix.dl.sourceforge.net/project/ant-eclipse/ant-eclipse/1.0/ant-eclipse-1.0.bin.tar.bz2

BUILD FAILED
/home/olaf/zookeeper/build.xml:1693: Redirection detected from https to http. 
Protocol switch unsafe, not allowed.

Total time: 0 seconds
{code}


Please consider including the patch as is. (modulo backporting to branches). I 
will "port" it to Apache Bigtop as well.

Thanks
  Olaf

> Use TLS for downloading artifacts during build
> ----------------------------------------------
>
>                 Key: ZOOKEEPER-2594
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2594
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: build
>    Affects Versions: 3.4.9, 3.5.2
>            Reporter: Olaf Flebbe
>            Assignee: Olaf Flebbe
>            Priority: Blocker
>              Labels: security
>             Fix For: 3.4.10, 3.5.3, 3.6.0
>
>         Attachments: 0001-ZOOKEEPER-2594-Use-TLS-for-downloading.patch, 
> 0001-ZOOKEEPER-2594-Use-TLS-for-downloading.patch, ZOOKEEPER-2594.patch, 
> compile.log
>
>
> Zookeeper builds are downloading dependencies using the insecure http:// 
> protocol. 
> An outdated java.net repository can be removed now, since its content is now 
> on maven.org.
> The https://repo2.maven.org cannot be used, since its certificate is invalid. 
> Use repo1.maven.org instead (IMHO this is intentional).
> Appended you'll find a proposed patch (against git head) to fix these issues, 
> for a starter.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)