I decided to ask Infra https://issues.apache.org/jira/browse/INFRA-16640
I also saw this: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls I'm wondering if the HTTPS code in the installer can handle the latest TLS. The notes for the code we use says "partial TLS1.0 implementation". Thoughts? -Alex On 6/11/18, 9:43 PM, "Alex Harui" <aha...@adobe.com.INVALID> wrote: Because Rawgit could be a faster remedy than putting together a whole new release. However, before we go that route, we need to verify that the Installer can in fact download over HTTPS from the rawgit server. My understanding from this thread is that HTTPS may be working on some servers but not others? -Alex On 6/11/18, 9:03 PM, "Justin Mclean" <jus...@classsoftware.com> wrote: Hi, Do we really want to go with a service that states "this is a free service, so there are no uptime or support guarantees.". I not sure we even have an issue with downloading the binary connivance releases so why do we need to move them from where they currently are? Justin On Tue, Jun 12, 2018 at 12:05 PM, OmPrakash Muppirala <bigosma...@gmail.com> wrote: > Rawgit might be a good option for us: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Frawgit.com%2F&data=02%7C01%7Caharui%40adobe.com%7Ce1271815ffce4da34b4308d5d0197f62%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636643730289596335&sdata=3GuiC1GhJIPPW3LowsPOUNtYobe%2FS3SvUhPqj%2FNFQl8%3D&reserved=0 > > If no one has objections, I can set this up. > > Thanks, > Om > > On Mon, Jun 11, 2018, 5:12 PM Alex Harui <aha...@adobe.com.invalid> wrote: > > > Also, I think if we can find a volunteer to host the entire binary folder > > (and thus pay the bandwidth costs) that will solve the problem without > > requiring an update to the installer. > > > > My 2 cents, > > -Alex > > > > On 6/11/18, 5:05 PM, "Alex Harui" <aha...@adobe.com.INVALID> wrote: > > > > Hmm. Are you proposing a new release of the installer? The location > > of the apache-flex-sdk-installer-config.xml is supposed to be > > release-specific. Each release can have its own version in case we need > to > > change steps in the release, so I don't think we want to hardcode it to > the > > URL you are using for testing. > > > > Did you say that if you use https to access this file on our website > > that it also fails? I find that really interesting if you are also > saying > > that the install does complete if we use https to download some of the > > artifacts like AIR29. Can you verify that this is only an issue for > > hitting apache.org sites via HTTPS and make sure your AIR29 didn't come > > out of the download cache? > > > > If it is an HTTPS for apache.org only, I think we want to understand > > why and build a really small test case to show Infra. Because if they > made > > a config change on apache.org/dist, if one of the other places we > > download from make the same change we will be stuck again. > > > > Thoughts? > > -Alex > > > > On 6/11/18, 1:25 PM, "Piotr Zarzycki" <piotrzarzyck...@gmail.com> > > wrote: > > > > I simply placed link here [1]. > > > > APACHE_FLEX_BIN_INSTALLER_URL = > > " > > https://na01.safelinks.protection.outlook.com/?url= > http%3A%2F%2Fflex.apache.org%2Finstaller%2Fapache-flex-sdk- > installer-config.xml&data=02%7C01%7Caharui%40adobe.com% > 7Ceda63602f32e4a98d35f08d5cfd97c84%7Cfa7b1b5a7b34438794aed2c178de > cee1%7C0%7C0%7C636643455386260834&sdata=8%2FKeViaRU2QlsM%2BDVqI9% > 2B5VwFRaoR3cYywVPiD8iiI4%3D&reserved=0 > > " > > > > > > [1] > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbit.ly% > 2F2JC5dcX&data=02%7C01%7Caharui%40adobe.com%7Ceda63602f32e4a98d35f08d5cfd9 > 7c84%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C1% > 7C636643455386260834&sdata=k3wKVwi2OH9dwPoTXlvYz4gKQnNs85 > II6JxH7GUSMPE%3D&reserved=0 > > > > pon., 11 cze 2018 o 22:10 Alex Harui <aha...@adobe.com.invalid> > > napisał(a): > > > > > But what code knew to start looking at the website instead of > > dist? > > > Didn't something else need to change? I'm trying to understand > > all of the > > > pieces. > > > > > > -Alex > > > > > > On 6/11/18, 12:34 PM, "Piotr Zarzycki" < > > piotrzarzyck...@gmail.com> wrote: > > > > > > Alex, > > > > > > When we are trying to read following file [1], we are > > getting time out > > > in > > > installer. I moved that file to our website [2] and locally > > tested > > > installer. - I got positive results. It's started to work. > > > > > > [1] > > > > > > > > https://na01.safelinks.protection.outlook.com/?url= > https%3A%2F%2Fwww.apache.org%2Fdist%2Fflex%2F4.16.1% > 2Fbinaries%2Fapache-flex-sdk-installer-config.xml&data=02% > 7C01%7Caharui%40adobe.com%7C8cf556e5bf954296e05908d5cfd26258% > 7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636643424854057105&sdata= > WaA3FpmHKJuhJI5Dpvxy6gfIBXOYBNg862fzTpLSucQ%3D&reserved=0 > > > [2] > > > > > https://na01.safelinks.protection.outlook.com/?url= > http%3A%2F%2Fflex.apache.org%2Finstaller%2Fapache-flex-sdk- > installer-config.xml&data=02%7C01%7Caharui%40adobe.com% > 7C8cf556e5bf954296e05908d5cfd26258%7Cfa7b1b5a7b34438794aed2c178de > cee1%7C0%7C0%7C636643424854057105&sdata=nRM0G2Vsc3uVg9sg3SEiF% > 2FnKzmO34dUJACfhl47MbEc%3D&reserved=0 > > > > > > Thanks, > > > Piotr > > > > > > pon., 11 cze 2018 o 17:24 Alex Harui > > <aha...@adobe.com.invalid> > > > napisał(a): > > > > > > > I think I'm lost. The commit message shows that one file > > was added > > > to our > > > > site. What file is pointing to it and how did it know to > > look at > > > our site? > > > > > > > > -Alex > > > > > > > > On 6/11/18, 12:58 AM, "Piotr Zarzycki" < > > piotrzarzyck...@gmail.com> > > > wrote: > > > > > > > > I moved file on our website [1] and it's working. If > I > > change it > > > to > > > > https > > > > we have time out issue as well. When file was used > > from my > > > server I > > > > also > > > > used https and it was working. > > > > > > > > Can we just use that location [1] and we will have > > installer > > > working ? > > > > > > > > [1] > > > > > > > > > https://na01.safelinks.protection.outlook.com/?url= > http%3A%2F%2Fflex.apache.org%2Finstaller%2Fapache-flex-sdk- > installer-config.xml&data=02%7C01%7Caharui%40adobe.com% > 7C4d8ae8042ed840e0cd9908d5cf712b17%7Cfa7b1b5a7b34438794aed2c178de > cee1%7C0%7C0%7C636643007320096225&sdata=YmowJViVHdhqCrxcGSZLg%2BYY86G% > 2BsbJCAqsYkcOWEHw%3D&reserved=0 > > > > > > > > Thanks, > > > > Piotr > > > > > > > > pon., 11 cze 2018 o 09:31 Justin Mclean < > > > jus...@classsoftware.com> > > > > napisał(a): > > > > > > > > > No I'm not suggesting that. AFAIK it's only the > > config text > > > file > > > > that Prior > > > > > wants to host. > > > > > > > > > > On Mon., 11 Jun. 2018, 8:47 am Alex Harui, > > > <aha...@adobe.com.invalid > > > > > > > > > > wrote: > > > > > > > > > > > Justin, > > > > > > > > > > > > Are you suggesting that we distribute a binary > > artifact from > > > our > > > > project > > > > > > website? Do other projects do that? > > > > > > > > > > > > -Alex > > > > > > > > > > > > On 6/10/18, 10:27 PM, "Justin Mclean" < > > > jus...@classsoftware.com> > > > > wrote: > > > > > > > > > > > > Hi, > > > > > > > > > > > > > I'm talking about that file [1]. What kind > > of security > > > > issues do > > > > > you > > > > > > > exactly see if I move that file on my > server > > ? > > > > > > > > > > > > Well if someone changed the paths in those > > files, our > > > users > > > > could > > > > > > unwitting be made to download walware or other > > stuff. Risk is > > > > probably > > > > > low > > > > > > but I have no details on the server this file is > > going on, > > > for > > > > instance > > > > > it > > > > > > it a dedicated server or one that contains shared > > hosts for > > > > instance. > > > > > What > > > > > > other services are running on this server? How is > > the file > > > > > uloaded/updated > > > > > > on that server? What security is in place to stop > > others > > > modifying > > > > that > > > > > > file? If it located in Poland is that going to > > cause > > > performance > > > > issues > > > > > for > > > > > > people outside of Europe? What happens if the > > server falls > > > overs > > > > can > > > > > > someone on the PMC restart it? Will the rest of > > the PMC have > > > > access to > > > > > this > > > > > > server? Might be best to answer on the private > > list if you > > > don’t > > > > want > > > > > > details about your server made public. > > > > > > > > > > > > Perhaps a better solution would be to host > > them on the > > > Apache > > > > Flex > > > > > > website as currently we do for [1] which the > > installer gets. > > > Is it > > > > too > > > > > hard > > > > > > to have a > > > > > > > > > > > > > > > > > > > > https://na01.safelinks.protection.outlook.com/?url= > http%3A%2F%2Fflex.apache.org%2Finstaller%2FXXX%2Fsdk- > installer-config-4.0.xml&data=02%7C01%7Caharui%40adobe.com% > 7Cbe3b60c824884a383f7d08d5cf5c1704%7Cfa7b1b5a7b34438794aed2c178de > cee1%7C0%7C0%7C636642916791710330&sdata=CUrCENwFIuMoAtvJnjoNXT9o41rbsX > GXojcwa5QH%2Bys%3D&reserved=0 > > > > > , > > > > > > were XXX if the flex version number as well? > Given > > the issue > > > is > > > > only with > > > > > > 4.16.0 and 4.16.1that’s only two files we would > > need to host > > > > there. That > > > > > > way access and security are handled by ASF > > infrastructure > > > and we > > > > don’t > > > > > have > > > > > > to worry about them. > > > > > > > > > > > > Thanks, > > > > > > Justin > > > > > > > > > > > > 1. > > > > > > > > > > > > > > > > > > > > https://na01.safelinks.protection.outlook.com/?url= > http%3A%2F%2Fflex.apache.org%2Finstaller%2Fsdk-installer- > config-4.0.xml&data=02%7C01%7Caharui%40adobe.com% > 7Cbe3b60c824884a383f7d08d5cf5c1704%7Cfa7b1b5a7b34438794aed2c178de > cee1%7C0%7C0%7C636642916791710330&sdata=2ld9NbW8Uar2ARRbaXv14uQ1cNN2U2 > ZIxWjqpnJdqX0%3D&reserved=0 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Piotr Zarzycki > > > > > > > > Patreon: * > > > > > > > > > https://na01.safelinks.protection.outlook.com/?url= > https%3A%2F%2Fwww.patreon.com%2Fpiotrzarzycki&data=02%7C01% > 7Caharui%40adobe.com%7C4d8ae8042ed840e0cd9908d5cf712b17% > 7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636643007320096225&sdata= > v5vx417pobFqInf08DbisQPeFu%2FU0WyzufbVEL%2F%2B2Ho%3D&reserved=0 > > > > < > > > > > > > > > https://na01.safelinks.protection.outlook.com/?url= > https%3A%2F%2Fwww.patreon.com%2Fpiotrzarzycki&data=02%7C01% > 7Caharui%40adobe.com%7C4d8ae8042ed840e0cd9908d5cf712b17% > 7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636643007320106230&sdata=S3Q% > 2FNmTpKKkr9oEtYLfIDNZvz7pYHcQyeiuVF7cPLq0%3D&reserved=0 > > > > >* > > > > > > > > > > > > > > > > > > -- > > > > > > Piotr Zarzycki > > > > > > Patreon: * > > > > > https://na01.safelinks.protection.outlook.com/?url= > https%3A%2F%2Fwww.patreon.com%2Fpiotrzarzycki&data=02%7C01% > 7Caharui%40adobe.com%7C8cf556e5bf954296e05908d5cfd26258% > 7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636643424854057105&sdata= > 6rndu7V2f8DYDeQLB0kpqtXWYJvKZDIu3l%2Ba8bS9A2A%3D&reserved=0 > > > < > > > > > https://na01.safelinks.protection.outlook.com/?url= > https%3A%2F%2Fwww.patreon.com%2Fpiotrzarzycki&data=02%7C01% > 7Caharui%40adobe.com%7C8cf556e5bf954296e05908d5cfd26258% > 7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636643424854057105&sdata= > 6rndu7V2f8DYDeQLB0kpqtXWYJvKZDIu3l%2Ba8bS9A2A%3D&reserved=0 > > > >* > > > > > > > > > > > > > -- > > > > Piotr Zarzycki > > > > Patreon: * > > https://na01.safelinks.protection.outlook.com/?url= > https%3A%2F%2Fwww.patreon.com%2Fpiotrzarzycki&data=02%7C01% > 7Caharui%40adobe.com%7Ceda63602f32e4a98d35f08d5cfd97c84% > 7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636643455386270844&sdata= > 8w9EuvBjYmQwQQ4Cwc3ipeQLEaa8EvxrbPVtRETuTNM%3D&reserved=0 > > < > > https://na01.safelinks.protection.outlook.com/?url= > https%3A%2F%2Fwww.patreon.com%2Fpiotrzarzycki&data=02%7C01% > 7Caharui%40adobe.com%7Ceda63602f32e4a98d35f08d5cfd97c84% > 7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636643455386270844&sdata= > 8w9EuvBjYmQwQQ4Cwc3ipeQLEaa8EvxrbPVtRETuTNM%3D&reserved=0 > > >* > > > > > > > > > > >
