[ https://issues.apache.org/jira/browse/SPARK-9417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644959#comment-14644959 ]
Steve Loughran commented on SPARK-9417: --------------------------------------- Marking as related to SPARK-9254, which added the redirect handling to the script. This JIRA doesn't supplement it, it just advocates making the original URL is the HTTPS one > sbt-launch to fetch sbt binaries over https not http > ---------------------------------------------------- > > Key: SPARK-9417 > URL: https://issues.apache.org/jira/browse/SPARK-9417 > Project: Spark > Issue Type: Improvement > Components: Build > Affects Versions: 1.5.0 > Reporter: Steve Loughran > Priority: Minor > > the current {{build/sbt-launch-lib.bash}} uses two URLs to try and fetch sbt > from > {code} > > URL1=http://typesafe.artifactoryonline.com/typesafe/ivy-releases/org.scala-sbt/sbt-launch/${SBT_VERSION}/sbt-launch.jar > > URL2=http://repo.typesafe.com/typesafe/ivy-releases/org.scala-sbt/sbt-launch/${SBT_VERSION}/sbt-launch.jar > {code} > Using HTTP means that the artifacts are downloaded without any auth, and > without any checksum validation. Yet the actual URL currently just redirects > to URL https://repo.typesafe.com/typesafe/ivy-releases/ > switching to that directly would reduce vulnerability to MITM publishing of > subverted artifacts -or at least postpone it to the maven/ivy phase. > An alternative strategy would be to have the SHA1 checksum in the script, and > explicitly validate the D/L -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org