infra-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henk Penning (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-16872) closer.lua returns http:// mirror when requested via https://
Date Fri, 03 Aug 2018 12:33:00 GMT

    [ https://issues.apache.org/jira/browse/INFRA-16872?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16568154#comment-16568154
] 

Henk Penning commented on INFRA-16872:
--------------------------------------

Your 'workaround' is actually a better solution ; everything coming from a mirror has to be
checked against the 'original' (by checksum).
We don't 'validate' mirrors ; so, re: mirrors, https adds (almost) nothing over http.
Closing ; "won't fix".

> closer.lua returns http:// mirror when requested via https://
> -------------------------------------------------------------
>
>                 Key: INFRA-16872
>                 URL: https://issues.apache.org/jira/browse/INFRA-16872
>             Project: Infrastructure
>          Issue Type: Bug
>          Components: Mirrors, Website
>            Reporter: Michael Osipov
>            Assignee: Henk Penning
>            Priority: Major
>
> The Tomcat build.xml files use {{https://...closer.lua}} to download atrifacts via mirrors
for the build. Unfortunately, the Lua script returns also mirrors via HTTP only. The Ant Get
Task refuses to follow the relocation due to the security downgrade.
> I have raised this with other Tomcat committers: https://www.mail-archive.com/dev@tomcat.apache.org/msg126867.html
> The task here is to verify wether some/all of the mirrors have HTTPS, change that and
have {{closer.lua}} to respond with an HTTPS aware mirror if it has been called via HTTPS.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message