[
https://issues.apache.org/jira/browse/SOLR-14695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17168005#comment-17168005
]
Noble Paul edited comment on SOLR-14695 at 7/30/20, 3:34 PM:
-------------------------------------------------------------
{quote}I assume you propose this as a temporary solution for shipping 1st party
packages as part of "fat distro", i.e. the distro tgz contains all pacakges.
{quote}
Well, this is a permanent solution. We need a solution that requires no keys
because
* By default we do not want to force users to trust our RMs. It's possible
that our users installed the cluster and some of the RM's keys got compromised
and nobody knows about it yet. In this case, even if it's compromised, nobody
will be able to install malicious code in users' clusters. The RM will have to
include the sha512 of the malicious jar at the time of the release & nobody
notices it for a long time that he has included a wrong jar.
* With this solution, users can make their own distribution without any keys.
Users can clone the Solr repo , do an {{ant dist}} and install the distro in
their cluster and everything works as if they downloaded it from our official
distributions. Otherwise, we will have to make a separate workflow for users
whose keys are not their in the projects KEYS file
* The same solution will work for fat-solr & slim-solr. As long as the SH512 is
same the jars can be loaded from a local filesystem or it can be downloaded
from the internet
The normal UX will be as follows. Users will trust the distro they downloaded
using the SHA512 . If a user downloads Solr 9.0, all the first party packages
(and their dependencies) jars for Solr 9.0 version will be trusted
automatically and they can install all 9.0 first party packages without any
keys. If the user wishes to upgrade any of the packages (say hdfs) from
{{solr-hdfs:9.0}} to a newer version, they will have to add our hosted repo to
their trusted repositories.
was (Author: noble.paul):
{quote}I assume you propose this as a temporary solution for shipping 1st party
packages as part of "fat distro", i.e. the distro tgz contains all pacakges.
{quote}
Well, this is a permanent solution. We need a solution that requires no keys
because
* By default we do not want to force users to trust our RMs. It's possible
that our users installed the cluster and some of the RM's keys got compromised
and nobody knows about it yet. In this case, even if it's compromised, nobody
will be able to install malicious code in users' clusters. The RM will have to
include the sha512 of the malicious jar at the time of the release & nobody
notices it for a long time that he has included a wrong jar.
* With this solution, users can make their own distribution without any keys.
Users can clone the Solr repo , do an {{ant dist}} and install the distro in
their cluster and everything works as if they downloaded it from our official
distributions. Otherwise, we will have to make a separate workflow for users
whose keys are not their in the projects KEYS file
The normal UX will be as follows. Users will trust the distro they downloaded
using the SHA512 . If a user downloads Solr 9.0, all the first party packages
(and their dependencies) jars for Solr 9.0 version will be trusted
automatically and they can install all 9.0 first party packages without any
keys. If the user wishes to upgrade any of the packages (say hdfs) from
{{solr-hdfs:9.0}} to a newer version, they will have to add our hosted repo to
their trusted repositories.
> Support loading of unsigned jars
> --------------------------------
>
> Key: SOLR-14695
> URL: https://issues.apache.org/jira/browse/SOLR-14695
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Package Manager, packages
> Reporter: Noble Paul
> Assignee: Noble Paul
> Priority: Major
>
> Solr distribution can keep a set of sha512 hashes of already trusted jars.
> This helps loading first party jars without signing.
> The file may look as follows and this is placed at
> {{<solr-home>/filestore/\_trusted_/artifacts.json}}
> {code:json}
> {
> "file-sha512" : {
> "dih-8.6.1.jar" :
> "d01b51de67ae1680a84a813983b1de3b592fc32f1a22b662fc9057da5953abd1b72476388ba342cad21671cd0b805503c78ab9075ff2f3951fdf75fa16981420"
> }
> }
> {code}
> * if the sha512 of a certain file is trusted, it does not have to be signed
> with any keys.
> * There is no API to create or modify this. The Solr build scripts create
> this file at build time and add this to the distro
> see the
> [document|https://docs.google.com/document/d/1n7gB2JAdZhlJKFrCd4Txcw4HDkdk7hlULyAZBS-wXrE/edit#]
> for more details
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
