[jira] [Commented] (SPARK-9417) sbt-launch to fetch sbt binaries over https not http

["Steve Loughran (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SPARK-9417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14644959#comment-14644959 ] 

Steve Loughran commented on SPARK-9417:
---------------------------------------

Marking as related to SPARK-9254, which added the redirect handling to the script. This JIRA doesn't supplement it, it just advocates making the original URL is the HTTPS one

> sbt-launch to fetch sbt binaries over https not http
> ----------------------------------------------------
>
>                 Key: SPARK-9417
>                 URL: https://issues.apache.org/jira/browse/SPARK-9417
>             Project: Spark
>          Issue Type: Improvement
>          Components: Build
>    Affects Versions: 1.5.0
>            Reporter: Steve Loughran
>            Priority: Minor
>
> the current  {{build/sbt-launch-lib.bash}} uses two URLs to try and fetch sbt from
> {code}
>   URL1=http://typesafe.artifactoryonline.com/typesafe/ivy-releases/org.scala-sbt/sbt-launch/${SBT_VERSION}/sbt-launch.jar
>   URL2=http://repo.typesafe.com/typesafe/ivy-releases/org.scala-sbt/sbt-launch/${SBT_VERSION}/sbt-launch.jar
> {code}
> Using HTTP means that the artifacts are downloaded without any auth, and without any checksum validation. Yet the actual URL currently just redirects to URL https://repo.typesafe.com/typesafe/ivy-releases/
> switching to that directly would reduce vulnerability to MITM publishing of subverted artifacts -or at least postpone it to the maven/ivy phase.
> An alternative strategy would be to have the SHA1 checksum in the script, and explicitly validate the D/L



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org