Hi, Am Sonntag, den 06.09.2020, 05:50 +0200 schrieb Jaroslav Tulach: > Hello Jean-Marc Borer. > > > The problem is that https://netbeans.apache.org/nb/updates/12.0/ > > <https://netbeans.apache.org/nb/updates/12.0/updates.xml.gz> > > redirects to > > mirrors that are not white listed. The list changes too often to be > > maintained by me and accepted by my company. > > When I click the above URL I get to: > https://apache.miloslavbrada.cz/netbeans/netbeans/12.0/nbms/updates.xml.gz > I assume all the links from `updates.xml` are then relative. > > Why don't you white list `apache.miloslavbrada.cz` or any other > Apache mirror > that you are redirected to? Of course, modify your IDE to use the URL > to the > selected mirror instead of the default randomly distributing URL. >
this is not a good idea, unless you fully trust the mirror operator. The updates.xml.gz _must_ be downloaded from apache infrastructure via a https connection. The updates.xml.gz acts as a trust anchor and thus it needs to come from a trustworthy source. The mirror network is not controlled by apache and thus every operator could inject malicous data. We protect against this: - The updates.xml.gz comes from trusted apache infrastructure - the updates.xml.gz holds cryptographic hashes of the artifacts, artifacts whose hashes don't match the updates.xml.gz value after download are rejected. This allows downloads to happen from the mirrors an still ensuring, that they are identical to the download from the main apache mirror. The only requirement is that the updates.xml.gz must come from a trusted source. Matthias --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org For additional commands, e-mail: dev-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
