giraph-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Olaf Flebbe (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (GIRAPH-1120) Insecure repository configuration
Date Tue, 11 Oct 2016 05:39:20 GMT

     [ https://issues.apache.org/jira/browse/GIRAPH-1120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Olaf Flebbe updated GIRAPH-1120:
--------------------------------
    Attachment: 0001-GIRAPH-1120-Insecure-repository-configuration.patch

My proposed patch. The default repository configuration is sufficient for the default profile.


If you do not like this patch, please at least change the http:// uri to https:// repos.

> Insecure repository configuration 
> ----------------------------------
>
>                 Key: GIRAPH-1120
>                 URL: https://issues.apache.org/jira/browse/GIRAPH-1120
>             Project: Giraph
>          Issue Type: Bug
>          Components: build
>    Affects Versions: 1.2.0-SNAPSHOT
>            Reporter: Olaf Flebbe
>         Attachments: 0001-GIRAPH-1120-Insecure-repository-configuration.patch
>
>
> Hi, the repository configuration of giraph is dangerous, since it is susceptible for
mitm attacks.
> {code}
> <repositories>
>     <repository>
>       <id>central</id>
>       <url>http://repo1.maven.org/maven2</url>
>       <releases>
>         <enabled>true</enabled>
>       </releases>
>     </repository>
> ...
> {code}
> If one looks closer, no repository is needed to be configured since everything from the
default profile is in maven central. 
> If anything from a non-default profile is not found in maven central, it should be moved
to the respective profile. For instance the CDH artifact repository should be moved to the
cdh hadoop_cdh4.1.2 profile.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message