[ https://issues.apache.org/jira/browse/LUCENE-8807?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Uwe Schindler resolved LUCENE-8807. ----------------------------------- Resolution: Fixed > Change all download URLs in build files to HTTPS > ------------------------------------------------ > > Key: LUCENE-8807 > URL: https://issues.apache.org/jira/browse/LUCENE-8807 > Project: Lucene - Core > Issue Type: Task > Components: general/build > Affects Versions: 8.1 > Reporter: Uwe Schindler > Assignee: Uwe Schindler > Priority: Blocker > Fix For: 7.7.2, master (9.0), 8.2, 8.1.1 > > Attachments: LUCENE-8807.patch, LUCENE-8807.patch > > > At least for Lucene this is not a security issue, because we have checksums > for all downloaded JAR dependencies: > {quote} > [...] Projects like Lucene do checksum whitelists of > all their build dependencies, and you may wish to consider that as a > protection against threats beyond just MITM [...] > {quote} > This patch fixes the URLs for most files referenced in {{\*build.xml}} and > {{\*ivy\*.xml}} to HTTPS. There are a few data files in benchmark which use > HTTP only, but that's uncritical and I added a TODO. Some were broken already. > I removed the "uk.maven.org" workarounds for Maven, as this does not work > with HTTPS. By keeping those inside, we break the whole chain of trust, as > any non-working HTTPS would fallback to the insecure uk.maven.org Maven > mirror. > As the great chinese firewall is changing all the time, we should just wait > for somebody complaining. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org