lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hoss Man (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LUCENE-3945) we should include checksums for every jar ivy fetches in svn & src releases to verify the jars are the ones we expect
Date Tue, 03 Apr 2012 19:02:25 GMT

    [ https://issues.apache.org/jira/browse/LUCENE-3945?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13245603#comment-13245603
] 

Hoss Man commented on LUCENE-3945:
----------------------------------

#1: I know that Ivy attempts MD5 & SHA1 verification by default -- but it does that verification
against checksum files located on the server, so it only offers protection against corruption
in transit, not against files deliberately modified on the server.

#2 i realize that the maintainers of maven repos say "all files are immutable" and that this
potential risk of malicious or accidental file changes exists for all maven users -- but that's
the choise of all maven users to accept that as a way of life.  I'm raising this issue only
to point out a discrepancy between the "confidence" we use to be able to give people who download
src releases, vs what we have currently with ivy.
                
> we should include checksums for every jar ivy fetches in svn & src releases to verify
the jars are the ones we expect
> ---------------------------------------------------------------------------------------------------------------------
>
>                 Key: LUCENE-3945
>                 URL: https://issues.apache.org/jira/browse/LUCENE-3945
>             Project: Lucene - Java
>          Issue Type: Task
>            Reporter: Hoss Man
>             Fix For: 3.6, 4.0
>
>
> Conversation with rmuir last night got me thinking about the fact that one thing we lose
by using ivy is confidence that every user of a release is compiling against (and likely using
at run time) the same dependencies as every other user.
> Up to 3.5, users of src and binary releases could be confident that the jars included
in the release were the same jars the lucene devs vetted and tested against when voting on
the release candidate, but with ivy there is now the possibility that after the source release
is published, the owner of a domain where these dependencies are hosted might change the jars
in some way w/o anyone knowing.  Likewise: we as developers could commit an ivy.xml file pointing
to a specific URL which we then use for and test for months, and just prior to a release,
the contents of the remote URL could change such that a JAR included in the binary artifacts
might not match the ones we've vetted and tested leading up to that RC.
> So i propose that we include checksum files in svn and in our source releases that can
be used by users to verify that the jars they get from ivy match the jars we tested against.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message