Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPARK-2879 [BUILD] Use HTTPS to access Maven Central and other repos #1805

Closed
wants to merge 1 commit into from
Closed

SPARK-2879 [BUILD] Use HTTPS to access Maven Central and other repos #1805

wants to merge 1 commit into from

Conversation

srowen
Copy link
Member

@srowen srowen commented Aug 6, 2014

Maven Central has just now enabled HTTPS access for everyone to Maven Central (http://central.sonatype.org/articles/2014/Aug/03/https-support-launching-now/) This is timely, as a reminder of how easily an attacker can slip malicious code into a build that's downloading artifacts over HTTP (http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/).

In the meantime, it looks like the Spring repo also now supports HTTPS, so can be used this way too.

I propose to use HTTPS to access these repos.

@srowen
Use HTTPS for Maven Central libs and plugins; use id 'central' to ove…
7043a8e 
…rride parent properly; use HTTPS for Spring repo
@SparkQA
Copy link

SparkQA commented Aug 6, 2014

QA tests have started for PR 1805. This patch merges cleanly.
View progress: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/18016/consoleFull

@srowen
Copy link
Member Author

srowen commented Aug 6, 2014

Jenkins, retest this please.

@SparkQA
Copy link

SparkQA commented Aug 6, 2014

QA tests have started for PR 1805. This patch merges cleanly.
View progress: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/18025/consoleFull

@SparkQA
Copy link

SparkQA commented Aug 6, 2014

QA results for PR 1805:
- This patch PASSES unit tests.
- This patch merges cleanly
- This patch adds no public classes

For more information see test ouptut:
https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/18025/consoleFull

rxin
rxin reviewed Aug 6, 2014
View reviewed changes
pom.xml
@@ -143,11 +143,11 @@

<repositories>
<repository>
<id>maven-repo</id>
<id>central</id>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any reason we call apache maven "central"? (the old name is confusing too)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default repo that everyone inherits in any Maven build is Sonatype's repo, which has just been called "Maven Central" for as long as I can remember: http://search.maven.org/ It's not an Apache repo.

The reason I changed the name is that its ID in the default Maven parent pom is "central". Right now, it's not actually overriding the default. Maven Central repo is included twice in the list of repos, which does very little harm except to cost a duplicate check to Maven Central when an artifact isn't found.

Still, it seemed more reasonable to actually override it as intended. I suppose that otherwise, you'd be leaking your (failed) requests for artifacts even after this change to secure these requests, although that's very minor.

Anyway that's why I changed it to "central", since that's its ID in the default Maven parent.

@pwendell
Copy link
Contributor

pwendell commented Aug 6, 2014

Thanks @srowen - for a long time we had users periodically submitting PR's to change this to https and then someone would submit a PR to change it back because it didn't work for them. I think previously maven central had limited support for this in parts of the mirror network, so hopefully now it works everywhere.

@pwendell
Copy link
Contributor

pwendell commented Aug 7, 2014

Okay I'm merging this.

@asfgit asfgit closed this in 4201d27 Aug 7, 2014
asfgit pushed a commit that referenced this pull request Aug 7, 2014
@srowen @pwendell
SPARK-2879 [BUILD] Use HTTPS to access Maven Central and other repos
40284a9 
Maven Central has just now enabled HTTPS access for everyone to Maven Central (http://central.sonatype.org/articles/2014/Aug/03/https-support-launching-now/) This is timely, as a reminder of how easily an attacker can slip malicious code into a build that's downloading artifacts over HTTP (http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/).

In the meantime, it looks like the Spring repo also now supports HTTPS, so can be used this way too.

I propose to use HTTPS to access these repos.

Author: Sean Owen <srowen@gmail.com>

Closes #1805 from srowen/SPARK-2879 and squashes the following commits:

7043a8e [Sean Owen] Use HTTPS for Maven Central libs and plugins; use id 'central' to override parent properly; use HTTPS for Spring repo
(cherry picked from commit 4201d27)

Signed-off-by: Patrick Wendell <pwendell@gmail.com>
@pwendell
Copy link
Contributor

pwendell commented Aug 7, 2014

@srowen I just got this error in Maven when trying to package a release. I'm going to retry this, but wondering if it's related.

Failed to execute goal org.apache.avro:avro-maven-plugin:1.7.3:idl-protocol (default) on project 
spark-streaming-flume-sink_2.10: Execution default of goal 
org.apache.avro:avro-maven-plugin:1.7.3:idl-protocol failed: Plugin 
org.apache.avro:avro-maven-plugin:1.7.3 or one of its dependencies could not be resolved: 
Could not transfer artifact com.thoughtworks.paranamer:paranamer:jar:2.3 
from/to central (https://repo1.maven.org/maven2): hostname in certificate 
didn't match: <repo1.maven.org> != <repo.maven.apache.org> OR <repo.maven.apache.org> -> [Help 1]

@pwendell
Copy link
Contributor

pwendell commented Aug 7, 2014

@srowen so I just re-ran the build and it worked... maybe this is a transient problem

@aarondav
Copy link
Contributor

aarondav commented Aug 7, 2014

Just wait for the posts on the user list...

@srowen srowen deleted the SPARK-2879 branch August 7, 2014 06:41
@srowen
Copy link
Member Author

srowen commented Aug 7, 2014

@pwendell You're right that actually repo1.maven.org is canonical (http://central.stage.sonatype.org/pages/consumers.html) I'll send another small PR to touch that up, and one other small thing.

xiliu82 pushed a commit to xiliu82/spark that referenced this pull request Sep 4, 2014
@srowen @conviva-zz
SPARK-2879 [BUILD] Use HTTPS to access Maven Central and other repos
5bf3c46 
Maven Central has just now enabled HTTPS access for everyone to Maven Central (http://central.sonatype.org/articles/2014/Aug/03/https-support-launching-now/) This is timely, as a reminder of how easily an attacker can slip malicious code into a build that's downloading artifacts over HTTP (http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/).

In the meantime, it looks like the Spring repo also now supports HTTPS, so can be used this way too.

I propose to use HTTPS to access these repos.

Author: Sean Owen <srowen@gmail.com>

Closes apache#1805 from srowen/SPARK-2879 and squashes the following commits:

7043a8e [Sean Owen] Use HTTPS for Maven Central libs and plugins; use id 'central' to override parent properly; use HTTPS for Spring repo
viirya pushed a commit to viirya/spark-1 that referenced this pull request Oct 19, 2023
@szehon-ho
rdar://112431669: Auto load Iceberg extensions (apache#1805)
5d61242 
* Auto load IcebergSparkExtensions

* Add test

* Review comments

* Temp: upgrade to 1.3.0.1-apple to try to pass tests

* Fix tests

Co-authored-by: Szehon Ho <szehon.apache@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@srowen @SparkQA @pwendell @aarondav @rxin