Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wire up --incompatible_disallow_unverified_http_downloads for maven_server #9235

Closed
wants to merge 3 commits into from
Closed

Wire up --incompatible_disallow_unverified_http_downloads for maven_server #9235

wants to merge 3 commits into from

Conversation

jin
Copy link
Member

@jin jin commented Aug 23, 2019
edited
Loading

Force usage of either HTTPS or HTTP w/ SHA-1. Note that SHA-1 is still susceptible to collision attacks, but this should reduce the exploitable surface of the current implementation that allows plain HTTP without checksums.

Also see #6799 (comment)

@jin
Wire up --incompatible_disallow_unverified_http_downloads for maven_s…
e863ccd 
…erver

Change-Id: Ibba0269e169f65fddb8b3cea0fc0a3e3905d179c
@jin
Fix typo
4d0e7e0 
Change-Id: I6d04a061a17cf35cc2a7a8062f05c777118edf92
@jin jin mentioned this pull request Aug 23, 2019
Closed
@aiuto aiuto self-assigned this Aug 23, 2019
@aiuto aiuto self-requested a review August 23, 2019 19:02
@jin jin added the team-ExternalDeps External dependency handling, remote repositiories, WORKSPACE file. label Aug 23, 2019
@JLLeitschuh
Copy link

Will there be another warning just simply acknowledging that sha1 is considered cryptographically broken?

@jin
Copy link
Member Author

jin commented Aug 23, 2019

@JLLeitschuh The issue with that now is warning spam (especially for projects with many maven_jar rules) with no simple and immediate actionable, like switching to SHA-256 immediately because that attribute does not exist yet. I can look into adding a SHA-256 attribute to maven_jar.

@jin
Fix tests
066393d 
Change-Id: I61b96b1d797071dc84291fecbf05a45d927240a5
@dstiers-1109
Copy link

Thank u

@bazel-io bazel-io closed this in 06d79dd Aug 26, 2019
@philwo philwo added the team-OSS Issues for the Bazel OSS team: installation, release processBazel packaging, website label Jun 15, 2020
@philwo philwo removed the team-OSS Issues for the Bazel OSS team: installation, release processBazel packaging, website label Nov 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aiuto aiuto aiuto approved these changes

Assignees

@aiuto aiuto

Labels
cla: yes team-ExternalDeps External dependency handling, remote repositiories, WORKSPACE file.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jin @JLLeitschuh @dstiers-1109 @aiuto @philwo @googlebot