www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: Maven Repository @ Apache
Date Thu, 06 Nov 2003 21:59:53 GMT

On Thu, 6 Nov 2003, Leo Simons wrote:
> indeed. Its trivial. Here's download.cgi:
>
> [leosimons@minotaur ~]$ cat /www/avalon.apache.org/download.cgi
> #!/bin/sh
> cd /www/www.apache.org/dyn/mirrors
> /www/www.apache.org/dyn/mirrors/mirrors.cgi $*
>
> the relevant snippet of download.html:
>
> <p><code>
> maven.repo.remote = [preferred]/avalon,http://www.ibiblio.org/maven
> </code></p>
>
> finally, a line like this is required in mirrors.conf:
>
> [avalon.apache.org]
> download.cgi = /www/avalon.apache.org/download.html

Sorry, I'm not on repository@apache.org. (Do we have any mirror
maintainers on that list?)  But I don't believe this is a particularly
smart thing to do.  We have *absolute no protection* against mirror owners
deliberaterly or accidentally corrupting jars.  Hence things from mirrors
should never be downloaded and installed as part of an automated process.

One exception could be if the automated process were to also grab the md5
(or pgp, but that would be more complicated) from apache.org and verify
the file's integrity.

I think many ASF projects are putting too much trust in the mirrors.  It
would be very simple to get arbitrary code executed by hundreds or
thousands of different machines simply by signing up as an apache mirror
and replacing files for some of the projects that don't do a good job of
assuring downloads are verified.

Joshua.

Mime
View raw message