Uploaded image for project: 'Lucene - Core'
  1. Lucene - Core
  2. LUCENE-8807

Change all download URLs in build files to HTTPS

    XMLWordPrintableJSON

Details

    • Task
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 8.1
    • 7.7.2, 9.0, 8.2, 8.1.1
    • general/build
    • None
    • New

    Description

      At least for Lucene this is not a security issue, because we have checksums for all downloaded JAR dependencies:

      [...] Projects like Lucene do checksum whitelists of
      all their build dependencies, and you may wish to consider that as a
      protection against threats beyond just MITM [...]

      This patch fixes the URLs for most files referenced in *build.xml and *ivy*.xml to HTTPS. There are a few data files in benchmark which use HTTP only, but that's uncritical and I added a TODO. Some were broken already.

      I removed the "uk.maven.org" workarounds for Maven, as this does not work with HTTPS. By keeping those inside, we break the whole chain of trust, as any non-working HTTPS would fallback to the insecure uk.maven.org Maven mirror.

      As the great chinese firewall is changing all the time, we should just wait for somebody complaining.

      Attachments

        1. LUCENE-8807.patch
          13 kB
          Uwe Schindler
        2. LUCENE-8807.patch
          13 kB
          Uwe Schindler

        Issue Links

          Activity

            People

              uschindler Uwe Schindler
              uschindler Uwe Schindler
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: