You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Apache Spark (Jira)" <ji...@apache.org> on 2021/05/11 16:17:00 UTC
[jira] [Assigned] (SPARK-35373) Verify checksums of downloaded
artifacts in build/mvn
[ https://issues.apache.org/jira/browse/SPARK-35373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Apache Spark reassigned SPARK-35373:
------------------------------------
Assignee: Apache Spark (was: Sean R. Owen)
> Verify checksums of downloaded artifacts in build/mvn
> -----------------------------------------------------
>
> Key: SPARK-35373
> URL: https://issues.apache.org/jira/browse/SPARK-35373
> Project: Spark
> Issue Type: Improvement
> Components: Build
> Affects Versions: 2.4.7, 3.0.2, 3.1.1
> Reporter: Sean R. Owen
> Assignee: Apache Spark
> Priority: Minor
>
> build/mvn is a convenience script that will automatically download Maven (and Scala) if not already present. While it downloads from official ASF mirrors, it does not check the checksum of the artifact, which is available as a .sha512 file from ASF servers.
> The risk of a supply chain attack is a bit less theoretical here than usual, because artifacts are downloaded from any of several mirrors worldwide, and injecting a malicious copy of Maven in any one of them might be simpler and less noticeable than injecting it into ASF servers.
> (Note, Scala's download site does not seem to provide a checksum. They do all come from Lightbend, at least, not N mirrors. Not much we can do there.)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org