[
https://issues.apache.org/jira/browse/SOLR-14695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17168553#comment-17168553
]
Jan Høydahl edited comment on SOLR-14695 at 7/31/20, 9:25 AM:
--------------------------------------------------------------
{quote}All third party packages should come from hosted repositories
{quote}
Sure, I'm talking about custom company-internal packages here, kind of an
extension of the usecase Noble talked about, for Docker users.
Once there is a *custom* solr distro, users need to trust the publisher of that
distro for all that it contains.
If there is a custom Dockerfile, a user would need to trust whatever extra bits
are assembled into that docker image, but if the Dockerfile inherits Solr's
Dockerfile, the user could still choose to trust the base layers with solr-core
and 1st-party pckgs.
was (Author: janhoy):
{quote}All third party packages should come from hosted repositories
{quote}
Sure, I'm talking about custom company-internal packages here, kind of an
extension of the usecase Noble talked about, for Docker users.
> Support loading of unsigned jars
> --------------------------------
>
> Key: SOLR-14695
> URL: https://issues.apache.org/jira/browse/SOLR-14695
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Package Manager, packages
> Reporter: Noble Paul
> Assignee: Noble Paul
> Priority: Major
>
> Solr distribution can keep a set of sha512 hashes of already trusted jars.
> This helps loading first party jars without signing.
> The file may look as follows and this is placed at
> {{<solr-home>/filestore/\_trusted_/artifacts.json}}
> {code:json}
> {
> "file-sha512" : {
> "dih-8.6.1.jar" :
> "d01b51de67ae1680a84a813983b1de3b592fc32f1a22b662fc9057da5953abd1b72476388ba342cad21671cd0b805503c78ab9075ff2f3951fdf75fa16981420"
> }
> }
> {code}
> * if the sha512 of a certain file is trusted, it does not have to be signed
> with any keys.
> * There is no API to create or modify this. The Solr build scripts create
> this file at build time and add this to the distro
> see the
> [document|https://docs.google.com/document/d/1n7gB2JAdZhlJKFrCd4Txcw4HDkdk7hlULyAZBS-wXrE/edit#]
> for more details
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
