[
https://issues.apache.org/jira/browse/SPARK-35373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sean R. Owen resolved SPARK-35373.
----------------------------------
Fix Version/s: 3.2.0
Resolution: Fixed
Issue resolved by pull request 32505
[https://github.com/apache/spark/pull/32505]
> Verify checksums of downloaded artifacts in build/mvn
> -----------------------------------------------------
>
> Key: SPARK-35373
> URL: https://issues.apache.org/jira/browse/SPARK-35373
> Project: Spark
> Issue Type: Improvement
> Components: Build
> Affects Versions: 2.4.7, 3.0.2, 3.1.1
> Reporter: Sean R. Owen
> Assignee: Apache Spark
> Priority: Minor
> Fix For: 3.2.0
>
>
> build/mvn is a convenience script that will automatically download Maven (and
> Scala) if not already present. While it downloads from official ASF mirrors,
> it does not check the checksum of the artifact, which is available as a
> .sha512 file from ASF servers.
> The risk of a supply chain attack is a bit less theoretical here than usual,
> because artifacts are downloaded from any of several mirrors worldwide, and
> injecting a malicious copy of Maven in any one of them might be simpler and
> less noticeable than injecting it into ASF servers.
> (Note, Scala's download site does not seem to provide a checksum. They do all
> come from Lightbend, at least, not N mirrors. Not much we can do there.)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
