Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-9417

sbt-launch to fetch sbt binaries over https not http

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 1.5.0
    • None
    • Build
    • None

    Description

      the current build/sbt-launch-lib.bash uses two URLs to try and fetch sbt from

        URL1=http://typesafe.artifactoryonline.com/typesafe/ivy-releases/org.scala-sbt/sbt-launch/${SBT_VERSION}/sbt-launch.jar
  URL2=http://repo.typesafe.com/typesafe/ivy-releases/org.scala-sbt/sbt-launch/${SBT_VERSION}/sbt-launch.jar

      Using HTTP means that the artifacts are downloaded without any auth, and without any checksum validation. Yet the actual URL currently just redirects to URL https://repo.typesafe.com/typesafe/ivy-releases/

      switching to that directly would reduce vulnerability to MITM publishing of subverted artifacts -or at least postpone it to the maven/ivy phase.

      An alternative strategy would be to have the SHA1 checksum in the script, and explicitly validate the D/L

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. SPARK-9254 sbt-launch-lib.bash should use `curl --location` to support HTTP/HTTPS redirection

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              srowen Sean R. Owen
              stevel@apache.org Steve Loughran
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: