You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@spark.apache.org by srowen <gi...@git.apache.org> on 2014/08/06 11:46:51 UTC

[GitHub] spark pull request: SPARK-2879 [BUILD] Use HTTPS to access Maven C...

GitHub user srowen opened a pull request:

    https://github.com/apache/spark/pull/1805

    SPARK-2879 [BUILD] Use HTTPS to access Maven Central and other repos

    Maven Central has just now enabled HTTPS access for everyone to Maven Central (http://central.sonatype.org/articles/2014/Aug/03/https-support-launching-now/) This is timely, as a reminder of how easily an attacker can slip malicious code into a build that's downloading artifacts over HTTP (http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/).
    
    In the meantime, it looks like the Spring repo also now supports HTTPS, so can be used this way too.
    
    I propose to use HTTPS to access these repos.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/srowen/spark SPARK-2879

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/spark/pull/1805.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1805
    
----
commit 7043a8e4d1576424068bf307abb315809696c690
Author: Sean Owen <sr...@gmail.com>
Date:   2014-08-06T09:46:16Z

    Use HTTPS for Maven Central libs and plugins; use id 'central' to override parent properly; use HTTPS for Spring repo

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request: SPARK-2879 [BUILD] Use HTTPS to access Maven C...

Posted by SparkQA <gi...@git.apache.org>.
Github user SparkQA commented on the pull request:

    https://github.com/apache/spark/pull/1805#issuecomment-51313947
  
    QA tests have started for PR 1805. This patch merges cleanly. <br>View progress: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/18016/consoleFull


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request: SPARK-2879 [BUILD] Use HTTPS to access Maven C...

Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:

    https://github.com/apache/spark/pull/1805


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request: SPARK-2879 [BUILD] Use HTTPS to access Maven C...

Posted by pwendell <gi...@git.apache.org>.
Github user pwendell commented on the pull request:

    https://github.com/apache/spark/pull/1805#issuecomment-51430124
  
    @srowen so I just re-ran the build and it worked... maybe this is a transient problem


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request: SPARK-2879 [BUILD] Use HTTPS to access Maven C...

Posted by pwendell <gi...@git.apache.org>.
Github user pwendell commented on the pull request:

    https://github.com/apache/spark/pull/1805#issuecomment-51419172
  
    Okay I'm merging this.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request: SPARK-2879 [BUILD] Use HTTPS to access Maven C...

Posted by aarondav <gi...@git.apache.org>.
Github user aarondav commented on the pull request:

    https://github.com/apache/spark/pull/1805#issuecomment-51431782
  
    Just wait for the posts on the user list...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request: SPARK-2879 [BUILD] Use HTTPS to access Maven C...

Posted by pwendell <gi...@git.apache.org>.
Github user pwendell commented on the pull request:

    https://github.com/apache/spark/pull/1805#issuecomment-51409615
  
    Thanks @srowen - for a long time we had users periodically submitting PR's to change this to https and then someone would submit a PR to change it back because it didn't work for them. I think previously maven central had limited support for this in parts of the mirror network, so hopefully now it works everywhere.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request: SPARK-2879 [BUILD] Use HTTPS to access Maven C...

Posted by pwendell <gi...@git.apache.org>.
Github user pwendell commented on the pull request:

    https://github.com/apache/spark/pull/1805#issuecomment-51424743
  
    @srowen should we be using `repo.maven.apache.org` rather than `repo1.maven.apache.org`?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request: SPARK-2879 [BUILD] Use HTTPS to access Maven C...

Posted by SparkQA <gi...@git.apache.org>.
Github user SparkQA commented on the pull request:

    https://github.com/apache/spark/pull/1805#issuecomment-51350321
  
    QA tests have started for PR 1805. This patch merges cleanly. <br>View progress: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/18025/consoleFull


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request: SPARK-2879 [BUILD] Use HTTPS to access Maven C...

Posted by srowen <gi...@git.apache.org>.
Github user srowen commented on a diff in the pull request:

    https://github.com/apache/spark/pull/1805#discussion_r15901784
  
    --- Diff: pom.xml ---
    @@ -143,11 +143,11 @@
     
       <repositories>
         <repository>
    -      <id>maven-repo</id>
    +      <id>central</id>
    --- End diff --
    
    The default repo that everyone inherits in any Maven build is Sonatype's repo, which has just been called "Maven Central" for as long as I can remember: http://search.maven.org/  It's not an Apache repo.
    
    The reason I changed the name is that its ID in the default Maven parent pom is "central". Right now, it's not actually overriding the default. Maven Central repo is included twice in the list of repos, which does very little harm except to cost a duplicate check to Maven Central when an artifact isn't found.
    
    Still, it seemed more reasonable to actually override it as intended. I suppose that otherwise, you'd be leaking your (failed) requests for artifacts even after this change to secure these requests, although that's very minor.
    
    Anyway that's why I changed it to "central", since that's its ID in the default Maven parent.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request: SPARK-2879 [BUILD] Use HTTPS to access Maven C...

Posted by srowen <gi...@git.apache.org>.
Github user srowen commented on the pull request:

    https://github.com/apache/spark/pull/1805#issuecomment-51436732
  
    @pwendell You're right that actually `repo1.maven.org` is canonical (http://central.stage.sonatype.org/pages/consumers.html) I'll send another small PR to touch that up, and one other small thing.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request: SPARK-2879 [BUILD] Use HTTPS to access Maven C...

Posted by SparkQA <gi...@git.apache.org>.
Github user SparkQA commented on the pull request:

    https://github.com/apache/spark/pull/1805#issuecomment-51358446
  
    QA results for PR 1805:<br>- This patch PASSES unit tests.<br>- This patch merges cleanly<br>- This patch adds no public classes<br><br>For more information see test ouptut:<br>https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/18025/consoleFull


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request: SPARK-2879 [BUILD] Use HTTPS to access Maven C...

Posted by rxin <gi...@git.apache.org>.
Github user rxin commented on a diff in the pull request:

    https://github.com/apache/spark/pull/1805#discussion_r15899974
  
    --- Diff: pom.xml ---
    @@ -143,11 +143,11 @@
     
       <repositories>
         <repository>
    -      <id>maven-repo</id>
    +      <id>central</id>
    --- End diff --
    
    any reason we call apache maven "central"? (the old name is confusing too)


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request: SPARK-2879 [BUILD] Use HTTPS to access Maven C...

Posted by pwendell <gi...@git.apache.org>.
Github user pwendell commented on the pull request:

    https://github.com/apache/spark/pull/1805#issuecomment-51424620
  
    @srowen I just got this error in Maven when trying to package a release. I'm going to retry this, but wondering if it's related.
    
    ```
    Failed to execute goal org.apache.avro:avro-maven-plugin:1.7.3:idl-protocol (default) on project spark-streaming-flume-sink_2.10: Execution default of goal org.apache.avro:avro-maven-plugin:1.7.3:idl-protocol failed: Plugin org.apache.avro:avro-maven-plugin:1.7.3 or one of its dependencies could not be resolved: Could not transfer artifact com.thoughtworks.paranamer:paranamer:jar:2.3 from/to central (https://repo1.maven.org/maven2): hostname in certificate didn't match: <repo1.maven.org> != <repo.maven.apache.org> OR <repo.maven.apache.org> -> [Help 1]
    ```


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request: SPARK-2879 [BUILD] Use HTTPS to access Maven C...

Posted by srowen <gi...@git.apache.org>.
Github user srowen commented on the pull request:

    https://github.com/apache/spark/pull/1805#issuecomment-51349772
  
    Jenkins, retest this please.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org