Steve Loughran created SPARK-9417:
-------------------------------------
Summary: sbt-launch to fetch sbt binaries over https not http
Key: SPARK-9417
URL: https://issues.apache.org/jira/browse/SPARK-9417
Project: Spark
Issue Type: Improvement
Components: Build
Affects Versions: 1.5.0
Reporter: Steve Loughran
Priority: Minor
the current {{build/sbt-launch-lib.bash}} uses two URLs to try and fetch sbt
from
{code}
URL1=http://typesafe.artifactoryonline.com/typesafe/ivy-releases/org.scala-sbt/sbt-launch/${SBT_VERSION}/sbt-launch.jar
URL2=http://repo.typesafe.com/typesafe/ivy-releases/org.scala-sbt/sbt-launch/${SBT_VERSION}/sbt-launch.jar
{code}
Using HTTP means that the artifacts are downloaded without any auth, and
without any checksum validation. Yet the actual URL currently just redirects to
URL https://repo.typesafe.com/typesafe/ivy-releases/
switching to that directly would reduce vulnerability to MITM publishing of
subverted artifacts -or at least postpone it to the maven/ivy phase.
An alternative strategy would be to have the SHA1 checksum in the script, and
explicitly validate the D/L
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
