[
https://issues.apache.org/jira/browse/SOLR-14695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17168541#comment-17168541
]
Ishan Chattopadhyaya edited comment on SOLR-14695 at 7/31/20, 9:08 AM:
-----------------------------------------------------------------------
bq. So this sha validation is only good for the fat-solr distro or when you
want to bundle your custom packages in the same way without worrying about keys
and repos.
Perferably, this should only be used for first party Solr packages. All third
party packages should come from hosted repositories (signed by GPG etc.).
It will be fairly chaotic for the user if third party packages came "trusted"
in custom docker images. Users can easily get vanilla docker images of Solr,
run an {{add-repo}} and {{install}} command to install their packages. This
isn't hard to script up in Ansible or Kubernetes or Terraform, such that it
appears to the user as if those packages came pre-installed.
was (Author: ichattopadhyaya):
bq. So this sha validation is only good for the fat-solr distro or when you
want to bundle your custom packages in the same way without worrying about keys
and repos.
Perferably, this should only be used for first party Solr packages. All third
party packages should come from hosted repositories (signed by GPG etc.).
It will be fairly chaotic for the user if third party packages came "trusted"
in custom docker images. Users can easily get vanilla docker images of Solr,
run an {{add-repo}} and {{install}} command to install their packages. This
isn't hard to script up in Ansible or Kubernetes or Terraform.
> Support loading of unsigned jars
> --------------------------------
>
> Key: SOLR-14695
> URL: https://issues.apache.org/jira/browse/SOLR-14695
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Package Manager, packages
> Reporter: Noble Paul
> Assignee: Noble Paul
> Priority: Major
>
> Solr distribution can keep a set of sha512 hashes of already trusted jars.
> This helps loading first party jars without signing.
> The file may look as follows and this is placed at
> {{<solr-home>/filestore/\_trusted_/artifacts.json}}
> {code:json}
> {
> "file-sha512" : {
> "dih-8.6.1.jar" :
> "d01b51de67ae1680a84a813983b1de3b592fc32f1a22b662fc9057da5953abd1b72476388ba342cad21671cd0b805503c78ab9075ff2f3951fdf75fa16981420"
> }
> }
> {code}
> * if the sha512 of a certain file is trusted, it does not have to be signed
> with any keys.
> * There is no API to create or modify this. The Solr build scripts create
> this file at build time and add this to the distro
> see the
> [document|https://docs.google.com/document/d/1n7gB2JAdZhlJKFrCd4Txcw4HDkdk7hlULyAZBS-wXrE/edit#]
> for more details
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
