srowen commented on a change in pull request #32505:
URL: https://github.com/apache/spark/pull/32505#discussion_r630332629
##########
File path: build/mvn
##########
@@ -26,36 +26,67 @@ _COMPILE_JVM_OPTS="-Xmx2g -XX:ReservedCodeCacheSize=1g"
# Installs any application tarball given a URL, the expected tarball name,
# and, optionally, a checkable binary path to determine if the binary has
-# already been installed
-## Arg1 - URL
-## Arg2 - Tarball Name
-## Arg3 - Checkable Binary
+# already been installed. Arguments:
+# 1 - Mirror host
+# 2 - URL path on host
+# 3 - URL query string
+# 4 - checksum suffix
+# 5 - Tarball Name
+# 6 - Checkable Binary
install_app() {
- local remote_tarball="$1"
- local local_tarball="${_DIR}/$2"
- local binary="${_DIR}/$3"
+ local mirror_host="$1"
+ local url_path="$2"
+ local url_query="$3"
+ local checksum_suffix="$4"
+ local local_tarball="${_DIR}/$5"
+ local binary="${_DIR}/$6"
+ local remote_tarball="${mirror_host}/${url_path}${url_query}"
+ local local_checksum="${local_tarball}.${checksum_suffix}"
+ local
remote_checksum="https://archive.apache.org/dist/${url_path}.${checksum_suffix}";
Review comment:
One more point : the checksums are not mirrored (well, not
consistently). But we very much want to check only the ASF's version of the
checksum. If an attacker modified a mirror's artifact, they could just modify
the checksum too of course.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
