You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by Kristiyan Marinov <kr...@gmail.com> on 2014/06/25 13:04:55 UTC
Corrupted download mirror?
Hi all,
I had to download a few different Maven versions today and noticed that
each time I downloaded a binary distribution from the
http://apache.igor.onlinedirect.bg/ mirror Google Chrome rejected it as a
malicious file. Switching the mirror to http://apache.cbox.biz/ produced no
such complaints from Chrome.
Has anyone else noticed such issues? Could there be something wrong with
the mirror?
Cheers,
Kristiyan
Re: Corrupted download mirror?
Posted by Jason van Zyl <ja...@takari.io>.
Sorry, I thought he originally meant a mirror of Maven Central not a mirror of Apache.
On Jun 27, 2014, at 5:52 PM, Hervé BOUTEMY <he...@free.fr> wrote:
> Le vendredi 27 juin 2014 17:36:17 Jason van Zyl a écrit :
>> On Jun 27, 2014, at 4:11 PM, Hervé BOUTEMY <he...@free.fr> wrote:
>>> Le vendredi 27 juin 2014 07:25:08 Jason van Zyl a écrit :
>>>> I've never seen those mirrors before. The Apache Maven PMC is a aware of
>>>> and collaborate with Sonatype on the canonical Maven Central and
>>>> collectively we would assert the content is valid. Anything else and
>>>> you're on your own. I honestly wouldn't use those mirrors. Maven Central
>>>> is currently served using a CDN which generally has edges not too far
>>>> away from you.
>>>
>>> -1
>>
>> Really? Do you check the other mirrors? I don't think any of us do? We
>> should but we don't as far as I know. If it's an official mirror then
>> what's the standard? If someone goes "Hey, I want to be a mirror" and we
>> call them an official mirror and they fill it with malicious artifacts we
>> would be none the wiser.
> it's ASF mirror, with ASF policy, that works for more than Apache Maven
>
>>
>> I at least know what happens with the current Maven Central machines, and
>> I'm reasonably assured of the security. Note I'm not affiliated with
>> Sonatype anymore, I just know they have a good IT staff.
> notice I'm affiliated with ASF and I know they have a good IT staff too: that
> does not mean that other organization don't have good IT staff
> But since it's Apache Maven, as member of Maven PMC, I just need to remember
> users that Apache dist area (with its mirrors) is the official Apache
> distribution area for any Apache project
>
> I know we have another good distribution space with central
>
>>
>> So I stand by my claim that I would not use anything but the primary because
>> there is no vetting process whatsoever.
> yes: primary = Apache dist (which contains signatures to check against to be
> sure that nothing wrong happened)
>
> Regards,
>
> Hervé
>
>
>>> apache.igor.onlinedirect.bg is an official Apache mirror [1]
>>> so this is an official source to download Maven
>>>
>>> I just tried and didn't have any problem: perhaps there was a
>>> synchronization issue
>>> in any case, you sould take time to check signature to verify nothing has
>>> been damaged
>>>
>>> Regards,
>>>
>>> Hervé
>>>
>>> [1] http://www.apache.org/mirrors/#bg
>>>
>>>> On Jun 25, 2014, at 7:04 AM, Kristiyan Marinov <kr...@gmail.com>
> wrote:
>>>>> Hi all,
>>>>>
>>>>> I had to download a few different Maven versions today and noticed that
>>>>> each time I downloaded a binary distribution from the
>>>>> http://apache.igor.onlinedirect.bg/ mirror Google Chrome rejected it as
>>>>> a
>>>>> malicious file. Switching the mirror to http://apache.cbox.biz/ produced
>>>>> no
>>>>> such complaints from Chrome.
>>>>>
>>>>> Has anyone else noticed such issues? Could there be something wrong with
>>>>> the mirror?
>>>>>
>>>>>
>>>>> Cheers,
>>>>> Kristiyan
>>>>
>>>> Thanks,
>>>>
>>>> Jason
>>>>
>>>> ----------------------------------------------------------
>>>> Jason van Zyl
>>>> Founder, Apache Maven
>>>> http://twitter.com/jvanzyl
>>>> http://twitter.com/takari_io
>>>> ---------------------------------------------------------
>>>>
>>>> Our achievements speak for themselves. What we have to keep track
>>>> of are our failures, discouragements and doubts. We tend to forget
>>>> the past difficulties, the many false starts, and the painful
>>>> groping. We see our past achievements as the end result of a
>>>> clean forward thrust, and our present difficulties as
>>>> signs of decline and decay.
>>>>
>>>> -- Eric Hoffer, Reflections on the Human Condition
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>>> For additional commands, e-mail: users-help@maven.apache.org
>>
>> Thanks,
>>
>> Jason
>>
>> ----------------------------------------------------------
>> Jason van Zyl
>> Founder, Apache Maven
>> http://twitter.com/jvanzyl
>> http://twitter.com/takari_io
>> ---------------------------------------------------------
>>
>> A man enjoys his work when he understands the whole and when he
>> is responsible for the quality of the whole
>>
>> -- Christopher Alexander, A Pattern Language
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
http://twitter.com/jvanzyl
http://twitter.com/takari_io
---------------------------------------------------------
We all have problems. How we deal with them is a measure of our worth.
-- Unknown
Re: Corrupted download mirror?
Posted by Hervé BOUTEMY <he...@free.fr>.
Le vendredi 27 juin 2014 17:36:17 Jason van Zyl a écrit :
> On Jun 27, 2014, at 4:11 PM, Hervé BOUTEMY <he...@free.fr> wrote:
> > Le vendredi 27 juin 2014 07:25:08 Jason van Zyl a écrit :
> >> I've never seen those mirrors before. The Apache Maven PMC is a aware of
> >> and collaborate with Sonatype on the canonical Maven Central and
> >> collectively we would assert the content is valid. Anything else and
> >> you're on your own. I honestly wouldn't use those mirrors. Maven Central
> >> is currently served using a CDN which generally has edges not too far
> >> away from you.
> >
> > -1
>
> Really? Do you check the other mirrors? I don't think any of us do? We
> should but we don't as far as I know. If it's an official mirror then
> what's the standard? If someone goes "Hey, I want to be a mirror" and we
> call them an official mirror and they fill it with malicious artifacts we
> would be none the wiser.
it's ASF mirror, with ASF policy, that works for more than Apache Maven
>
> I at least know what happens with the current Maven Central machines, and
> I'm reasonably assured of the security. Note I'm not affiliated with
> Sonatype anymore, I just know they have a good IT staff.
notice I'm affiliated with ASF and I know they have a good IT staff too: that
does not mean that other organization don't have good IT staff
But since it's Apache Maven, as member of Maven PMC, I just need to remember
users that Apache dist area (with its mirrors) is the official Apache
distribution area for any Apache project
I know we have another good distribution space with central
>
> So I stand by my claim that I would not use anything but the primary because
> there is no vetting process whatsoever.
yes: primary = Apache dist (which contains signatures to check against to be
sure that nothing wrong happened)
Regards,
Hervé
> > apache.igor.onlinedirect.bg is an official Apache mirror [1]
> > so this is an official source to download Maven
> >
> > I just tried and didn't have any problem: perhaps there was a
> > synchronization issue
> > in any case, you sould take time to check signature to verify nothing has
> > been damaged
> >
> > Regards,
> >
> > Hervé
> >
> > [1] http://www.apache.org/mirrors/#bg
> >
> >> On Jun 25, 2014, at 7:04 AM, Kristiyan Marinov <kr...@gmail.com>
wrote:
> >>> Hi all,
> >>>
> >>> I had to download a few different Maven versions today and noticed that
> >>> each time I downloaded a binary distribution from the
> >>> http://apache.igor.onlinedirect.bg/ mirror Google Chrome rejected it as
> >>> a
> >>> malicious file. Switching the mirror to http://apache.cbox.biz/ produced
> >>> no
> >>> such complaints from Chrome.
> >>>
> >>> Has anyone else noticed such issues? Could there be something wrong with
> >>> the mirror?
> >>>
> >>>
> >>> Cheers,
> >>> Kristiyan
> >>
> >> Thanks,
> >>
> >> Jason
> >>
> >> ----------------------------------------------------------
> >> Jason van Zyl
> >> Founder, Apache Maven
> >> http://twitter.com/jvanzyl
> >> http://twitter.com/takari_io
> >> ---------------------------------------------------------
> >>
> >> Our achievements speak for themselves. What we have to keep track
> >> of are our failures, discouragements and doubts. We tend to forget
> >> the past difficulties, the many false starts, and the painful
> >> groping. We see our past achievements as the end result of a
> >> clean forward thrust, and our present difficulties as
> >> signs of decline and decay.
> >>
> >> -- Eric Hoffer, Reflections on the Human Condition
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> > For additional commands, e-mail: users-help@maven.apache.org
>
> Thanks,
>
> Jason
>
> ----------------------------------------------------------
> Jason van Zyl
> Founder, Apache Maven
> http://twitter.com/jvanzyl
> http://twitter.com/takari_io
> ---------------------------------------------------------
>
> A man enjoys his work when he understands the whole and when he
> is responsible for the quality of the whole
>
> -- Christopher Alexander, A Pattern Language
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Corrupted download mirror?
Posted by Jason van Zyl <ja...@takari.io>.
On Jun 27, 2014, at 4:11 PM, Hervé BOUTEMY <he...@free.fr> wrote:
> Le vendredi 27 juin 2014 07:25:08 Jason van Zyl a écrit :
>> I've never seen those mirrors before. The Apache Maven PMC is a aware of and
>> collaborate with Sonatype on the canonical Maven Central and collectively
>> we would assert the content is valid. Anything else and you're on your own.
>> I honestly wouldn't use those mirrors. Maven Central is currently served
>> using a CDN which generally has edges not too far away from you.
> -1
>
Really? Do you check the other mirrors? I don't think any of us do? We should but we don't as far as I know. If it's an official mirror then what's the standard? If someone goes "Hey, I want to be a mirror" and we call them an official mirror and they fill it with malicious artifacts we would be none the wiser.
I at least know what happens with the current Maven Central machines, and I'm reasonably assured of the security. Note I'm not affiliated with Sonatype anymore, I just know they have a good IT staff.
So I stand by my claim that I would not use anything but the primary because there is no vetting process whatsoever.
> apache.igor.onlinedirect.bg is an official Apache mirror [1]
> so this is an official source to download Maven
>
> I just tried and didn't have any problem: perhaps there was a synchronization
> issue
> in any case, you sould take time to check signature to verify nothing has been
> damaged
>
> Regards,
>
> Hervé
>
> [1] http://www.apache.org/mirrors/#bg
>
>> On Jun 25, 2014, at 7:04 AM, Kristiyan Marinov <kr...@gmail.com> wrote:
>>> Hi all,
>>>
>>> I had to download a few different Maven versions today and noticed that
>>> each time I downloaded a binary distribution from the
>>> http://apache.igor.onlinedirect.bg/ mirror Google Chrome rejected it as a
>>> malicious file. Switching the mirror to http://apache.cbox.biz/ produced
>>> no
>>> such complaints from Chrome.
>>>
>>> Has anyone else noticed such issues? Could there be something wrong with
>>> the mirror?
>>>
>>>
>>> Cheers,
>>> Kristiyan
>>
>> Thanks,
>>
>> Jason
>>
>> ----------------------------------------------------------
>> Jason van Zyl
>> Founder, Apache Maven
>> http://twitter.com/jvanzyl
>> http://twitter.com/takari_io
>> ---------------------------------------------------------
>>
>> Our achievements speak for themselves. What we have to keep track
>> of are our failures, discouragements and doubts. We tend to forget
>> the past difficulties, the many false starts, and the painful
>> groping. We see our past achievements as the end result of a
>> clean forward thrust, and our present difficulties as
>> signs of decline and decay.
>>
>> -- Eric Hoffer, Reflections on the Human Condition
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
http://twitter.com/jvanzyl
http://twitter.com/takari_io
---------------------------------------------------------
A man enjoys his work when he understands the whole and when he
is responsible for the quality of the whole
-- Christopher Alexander, A Pattern Language
Re: Corrupted download mirror?
Posted by Dan Tran <da...@gmail.com>.
I am running into similiar issue where at home, I am not able to download a
particular artifact ( maven-scm-provider-cvsexe, and release plugin needs
it )
https://issues.sonatype.org/browse/MVNCENTRAL-446
Could be CDN issue at my San Jose, CA area with Comcast?
-D
On Fri, Jun 27, 2014 at 1:11 PM, Hervé BOUTEMY <he...@free.fr>
wrote:
> Le vendredi 27 juin 2014 07:25:08 Jason van Zyl a écrit :
> > I've never seen those mirrors before. The Apache Maven PMC is a aware of
> and
> > collaborate with Sonatype on the canonical Maven Central and collectively
> > we would assert the content is valid. Anything else and you're on your
> own.
> > I honestly wouldn't use those mirrors. Maven Central is currently served
> > using a CDN which generally has edges not too far away from you.
> -1
>
> apache.igor.onlinedirect.bg is an official Apache mirror [1]
> so this is an official source to download Maven
>
> I just tried and didn't have any problem: perhaps there was a
> synchronization
> issue
> in any case, you sould take time to check signature to verify nothing has
> been
> damaged
>
> Regards,
>
> Hervé
>
> [1] http://www.apache.org/mirrors/#bg
>
> > On Jun 25, 2014, at 7:04 AM, Kristiyan Marinov <kr...@gmail.com>
> wrote:
> > > Hi all,
> > >
> > > I had to download a few different Maven versions today and noticed that
> > > each time I downloaded a binary distribution from the
> > > http://apache.igor.onlinedirect.bg/ mirror Google Chrome rejected it
> as a
> > > malicious file. Switching the mirror to http://apache.cbox.biz/
> produced
> > > no
> > > such complaints from Chrome.
> > >
> > > Has anyone else noticed such issues? Could there be something wrong
> with
> > > the mirror?
> > >
> > >
> > > Cheers,
> > > Kristiyan
> >
> > Thanks,
> >
> > Jason
> >
> > ----------------------------------------------------------
> > Jason van Zyl
> > Founder, Apache Maven
> > http://twitter.com/jvanzyl
> > http://twitter.com/takari_io
> > ---------------------------------------------------------
> >
> > Our achievements speak for themselves. What we have to keep track
> > of are our failures, discouragements and doubts. We tend to forget
> > the past difficulties, the many false starts, and the painful
> > groping. We see our past achievements as the end result of a
> > clean forward thrust, and our present difficulties as
> > signs of decline and decay.
> >
> > -- Eric Hoffer, Reflections on the Human Condition
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>
Re: Corrupted download mirror?
Posted by Hervé BOUTEMY <he...@free.fr>.
Le vendredi 27 juin 2014 07:25:08 Jason van Zyl a écrit :
> I've never seen those mirrors before. The Apache Maven PMC is a aware of and
> collaborate with Sonatype on the canonical Maven Central and collectively
> we would assert the content is valid. Anything else and you're on your own.
> I honestly wouldn't use those mirrors. Maven Central is currently served
> using a CDN which generally has edges not too far away from you.
-1
apache.igor.onlinedirect.bg is an official Apache mirror [1]
so this is an official source to download Maven
I just tried and didn't have any problem: perhaps there was a synchronization
issue
in any case, you sould take time to check signature to verify nothing has been
damaged
Regards,
Hervé
[1] http://www.apache.org/mirrors/#bg
> On Jun 25, 2014, at 7:04 AM, Kristiyan Marinov <kr...@gmail.com> wrote:
> > Hi all,
> >
> > I had to download a few different Maven versions today and noticed that
> > each time I downloaded a binary distribution from the
> > http://apache.igor.onlinedirect.bg/ mirror Google Chrome rejected it as a
> > malicious file. Switching the mirror to http://apache.cbox.biz/ produced
> > no
> > such complaints from Chrome.
> >
> > Has anyone else noticed such issues? Could there be something wrong with
> > the mirror?
> >
> >
> > Cheers,
> > Kristiyan
>
> Thanks,
>
> Jason
>
> ----------------------------------------------------------
> Jason van Zyl
> Founder, Apache Maven
> http://twitter.com/jvanzyl
> http://twitter.com/takari_io
> ---------------------------------------------------------
>
> Our achievements speak for themselves. What we have to keep track
> of are our failures, discouragements and doubts. We tend to forget
> the past difficulties, the many false starts, and the painful
> groping. We see our past achievements as the end result of a
> clean forward thrust, and our present difficulties as
> signs of decline and decay.
>
> -- Eric Hoffer, Reflections on the Human Condition
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Corrupted download mirror?
Posted by Jason van Zyl <ja...@takari.io>.
I've never seen those mirrors before. The Apache Maven PMC is a aware of and collaborate with Sonatype on the canonical Maven Central and collectively we would assert the content is valid. Anything else and you're on your own. I honestly wouldn't use those mirrors. Maven Central is currently served using a CDN which generally has edges not too far away from you.
On Jun 25, 2014, at 7:04 AM, Kristiyan Marinov <kr...@gmail.com> wrote:
> Hi all,
>
> I had to download a few different Maven versions today and noticed that
> each time I downloaded a binary distribution from the
> http://apache.igor.onlinedirect.bg/ mirror Google Chrome rejected it as a
> malicious file. Switching the mirror to http://apache.cbox.biz/ produced no
> such complaints from Chrome.
>
> Has anyone else noticed such issues? Could there be something wrong with
> the mirror?
>
>
> Cheers,
> Kristiyan
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
http://twitter.com/jvanzyl
http://twitter.com/takari_io
---------------------------------------------------------
Our achievements speak for themselves. What we have to keep track
of are our failures, discouragements and doubts. We tend to forget
the past difficulties, the many false starts, and the painful
groping. We see our past achievements as the end result of a
clean forward thrust, and our present difficulties as
signs of decline and decay.
-- Eric Hoffer, Reflections on the Human Condition