Uploaded image for project: 'Lucene - Core'
  1. Lucene - Core
  2. LUCENE-8807

Change all download URLs in build files to HTTPS

    Details

    • Lucene Fields:
      New

      Description

      At least for Lucene this is not a security issue, because we have checksums for all downloaded JAR dependencies:

      [...] Projects like Lucene do checksum whitelists of
      all their build dependencies, and you may wish to consider that as a
      protection against threats beyond just MITM [...]

      This patch fixes the URLs for most files referenced in *build.xml and *ivy*.xml to HTTPS. There are a few data files in benchmark which use HTTP only, but that's uncritical and I added a TODO. Some were broken already.

      I removed the "uk.maven.org" workarounds for Maven, as this does not work with HTTPS. By keeping those inside, we break the whole chain of trust, as any non-working HTTPS would fallback to the insecure uk.maven.org Maven mirror.

      As the great chinese firewall is changing all the time, we should just wait for somebody complaining.

        Attachments

        1. LUCENE-8807.patch
          13 kB
          Uwe Schindler
        2. LUCENE-8807.patch
          13 kB
          Uwe Schindler

          Activity

            People

            • Assignee:
              thetaphi Uwe Schindler
              Reporter:
              thetaphi Uwe Schindler
            • Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: