whirr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Savu <savu.and...@gmail.com>
Subject Re: install_oab_java considered harmful
Date Tue, 21 Feb 2012 15:17:11 GMT
I agree. Let's find a better / more secure way of installing the Oracle JDK
- that would fix all the problems we are seeing.

Anyone willing to port InstallJDK.fromURL() from jclouds 1.4.0? Any other
ideas?

On Tue, Feb 21, 2012 at 3:10 PM, Karel Vervaeke <karel@outerthought.org>wrote:

> I'm not a big fan of the install_oab_java.sh thing to be honest
>   30 Sorry that I didn't express this earlier, I couldn't put my finger on
> it.
> 30 It's a security liability: It requires pulling from two github
> repos who are only controlled by the individuals who own the
> repository.
> If they decide to slip in maliscious stuff, everybody installing java
> via those scripts is going to be affected.
> It would be (slightly) better if we forked the repository (e.g. under
> the apache github account, but I doubt the infrastructure for that is
> up).
> And possibly even better if the actual commands were embedded in whirr
> (rather than fetched from external sources at runtime)
> Even if the owners don't have malicious intentions, chances are
> they'll update their scripts, possibly breaking whirr in the proces
> (without even knowing they are breaking anything)
>
> WDYT?
>
> Regards,
> Karel
> --
> Karel Vervaeke
> http://outerthought.org/
> Open Source Content Applications
> Makers of Kauri, Daisy CMS and Lily
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message