You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@whirr.apache.org by Karel Vervaeke <ka...@outerthought.org> on 2012/02/21 16:10:24 UTC
install_oab_java considered harmful
I'm not a big fan of the install_oab_java.sh thing to be honest
30 Sorry that I didn't express this earlier, I couldn't put my finger on it.
30 It's a security liability: It requires pulling from two github
repos who are only controlled by the individuals who own the
repository.
If they decide to slip in maliscious stuff, everybody installing java
via those scripts is going to be affected.
It would be (slightly) better if we forked the repository (e.g. under
the apache github account, but I doubt the infrastructure for that is
up).
And possibly even better if the actual commands were embedded in whirr
(rather than fetched from external sources at runtime)
Even if the owners don't have malicious intentions, chances are
they'll update their scripts, possibly breaking whirr in the proces
(without even knowing they are breaking anything)
WDYT?
Regards,
Karel
--
Karel Vervaeke
http://outerthought.org/
Open Source Content Applications
Makers of Kauri, Daisy CMS and Lily
Re: install_oab_java considered harmful
Posted by Andrei Savu <sa...@gmail.com>.
I agree. Let's find a better / more secure way of installing the Oracle JDK
- that would fix all the problems we are seeing.
Anyone willing to port InstallJDK.fromURL() from jclouds 1.4.0? Any other
ideas?
On Tue, Feb 21, 2012 at 3:10 PM, Karel Vervaeke <ka...@outerthought.org>wrote:
> I'm not a big fan of the install_oab_java.sh thing to be honest
> 30 Sorry that I didn't express this earlier, I couldn't put my finger on
> it.
> 30 It's a security liability: It requires pulling from two github
> repos who are only controlled by the individuals who own the
> repository.
> If they decide to slip in maliscious stuff, everybody installing java
> via those scripts is going to be affected.
> It would be (slightly) better if we forked the repository (e.g. under
> the apache github account, but I doubt the infrastructure for that is
> up).
> And possibly even better if the actual commands were embedded in whirr
> (rather than fetched from external sources at runtime)
> Even if the owners don't have malicious intentions, chances are
> they'll update their scripts, possibly breaking whirr in the proces
> (without even knowing they are breaking anything)
>
> WDYT?
>
> Regards,
> Karel
> --
> Karel Vervaeke
> http://outerthought.org/
> Open Source Content Applications
> Makers of Kauri, Daisy CMS and Lily
>