You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@heron.apache.org by GitBox <gi...@apache.org> on 2018/04/06 15:33:40 UTC

[GitHub] ajorgensen opened a new pull request #2856: Add sha256 checksums for all http_archives

ajorgensen opened a new pull request #2856: Add sha256 checksums for all http_archives
URL: https://github.com/apache/incubator-heron/pull/2856
 
 
   I have taken the current sha256 checksum for all of the workspace
   archives so we can verify their signature on download. Since some
   of the artifacts are downloaded over http, we want to make sure
   there was no man in the middle attack done to change the resulting
   binary. This also  gives assurance that the code we are downloading
   has not been tampered with in any way either over the wire or at
   the source.
   
   I used the following function:
   ```
   checksum_remote () {
       curl -L -s $1 | sha256sum | cut -d' ' -f1 | tr -d '\n'
   }
   ```
   to get the sha256 signature and then ran `bazel clean && bazel build //heron/...` to verify the signatures were correct.
   
   Closes https://github.com/apache/incubator-heron/issues/2854

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services