netbeans-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antonio Vieiro <anto...@vieiro.net>
Subject Re: Downloading from other Maven repositories was: Integrating with complex third-party software
Date Mon, 30 Oct 2017 20:14:31 GMT

> El 30 oct 2017, a las 20:47, Matthias Bläsing <mblaesing@doppel-helix.eu> escribió:
> 
> Hey,
> 
> Am Montag, den 30.10.2017, 20:02 +0100 schrieb Antonio Vieiro:
>>>> On the other hand during review of HTML/Java API I had to remove download
>>>> from google Maven repository - it was seen as untrusted. I assume the same
>>>> will be said about the eclipse repository.
>>> 
>>> I don't follow that argument. The trust basis is the SHA1 hash that is
>>> checked at download time. At this point in time I consider SHA1 as a
>>> save basis and thus I don't care if the binary comes from maven centra,
>>> the eclipse repository or whatever.
>> 
>> Untrusted because missing https certificates, maybe? 
>> 
>> The DownloadBinaries.java ant task currently uses plain http, so no worries about
https certificates (but we could use a custom SSLSocketFactory with some certs if required).
>> 
> 
> Please see the DownloadBinaries#doDownload method. The download is done
> and after that the file hash is compared with the reference from the
> binaries-list.

I agree with you that the SHA1 is enough. I meant that maybe Yaroslav was talking about “untrusted
HTTPS” connections.

Cheers,
Antonio

> 
> So you'd need to create a SHA1 collision to inject code when
> downloading. While theoretically possible, I'd currently not think
> about the problem.
> 
> We should think about making the hashing extendable, so that we can
> later switch to saver hashing algorithms.
> 
> Greetings
> 
> Matthias


Mime
View raw message