[LUCENE-8807] Change all download URLs in build files to HTTPS - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Reopened
Priority: Blocker
Resolution: Fixed
Affects Version/s: 8.1
Fix Version/s: 7.7.2, 9.0, 8.2, 8.1.1
Component/s: general/build
Labels:
None

Lucene Fields:

New

Description

At least for Lucene this is not a security issue, because we have checksums for all downloaded JAR dependencies:

[...] Projects like Lucene do checksum whitelists of
all their build dependencies, and you may wish to consider that as a
protection against threats beyond just MITM [...]

This patch fixes the URLs for most files referenced in *build.xml and *ivy*.xml to HTTPS. There are a few data files in benchmark which use HTTP only, but that's uncritical and I added a TODO. Some were broken already.

I removed the "uk.maven.org" workarounds for Maven, as this does not work with HTTPS. By keeping those inside, we break the whole chain of trust, as any non-working HTTPS would fallback to the insecure uk.maven.org Maven mirror.

As the great chinese firewall is changing all the time, we should just wait for somebody complaining.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

LUCENE-8807.patch
21/May/19 14:10
13 kB
Uwe Schindler
LUCENE-8807.patch
21/May/19 13:43
13 kB
Uwe Schindler

Issue Links

is duplicated by

SOLR-11936 maven urls should use https

Resolved

is related to

LUCENE-9170 wagon-ssh Maven HTTPS issue

Closed

SOLR-13756 ivy cannot download org.restlet.ext.servlet jar

Closed

SOLR-14224 Not able to build solr 6.6.2 from source after January 15, 2020

Closed

LUCENE-8993 Change Maven POM repository URLs to https

Closed

Activity

People

Assignee:: Uwe Schindler

Reporter:: Uwe Schindler

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 21/May/19 13:42

Updated:: 12/Feb/24 20:41

Resolved:: 21/May/19 15:51