[
https://issues.apache.org/jira/browse/SOLR-14695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17168401#comment-17168401
]
Noble Paul edited comment on SOLR-14695 at 7/31/20, 12:16 PM:
--------------------------------------------------------------
I want to address a very important use-case with this solution.
User should be able to clone the solr repo, modify the code of some first party
packages and do an
{{ant dist}}
and use it as their internal distribution.
After that, they should be able to add a solr repo and use that to upgrade
other packages
If we use PGP keys only to trust first party packages, this will not work.
sh512 is obviously not used for trust. A user who downloads a binary from our
download sites or a mirror has already verified the whole file with our PGP
keys. So, he is has already implicitly verified the sh512 of the first party
jars as well
Another use-case is testing.
Devs of first party packages would want to do testing of their packages
locally. Even, integration testing with JUnit would need support for unsigned
jars
was (Author: noble.paul):
I want to address a very important usecase with this solution.
User should be able to clone the solr repo, modify the code of some first party
packages and do an
{{ant dist}}
and use it as their internal distribution.
After that, they should be able to add a solr repo and use that to upgrade
other packages
If we use PGP keys only to trust first party packages, this will not work.
sh512 is obviously not used for trust. A user who downloads a binary from our
download sites or a mirror has already verified the whole file with our PGP
keys. So, he is has already implicitly verified the sh512 of the first party
jars as well
> Support loading of unsigned jars
> --------------------------------
>
> Key: SOLR-14695
> URL: https://issues.apache.org/jira/browse/SOLR-14695
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Package Manager, packages
> Reporter: Noble Paul
> Assignee: Noble Paul
> Priority: Major
>
> Solr distribution can keep a set of sha512 hashes of already trusted jars.
> This helps loading first party jars without signing.
> The file may look as follows and this is placed at
> {{<solr-home>/filestore/\_trusted_/artifacts.json}}
> {code:json}
> {
> "file-sha512" : {
> "dih-8.6.1.jar" :
> "d01b51de67ae1680a84a813983b1de3b592fc32f1a22b662fc9057da5953abd1b72476388ba342cad21671cd0b805503c78ab9075ff2f3951fdf75fa16981420"
> }
> }
> {code}
> * if the sha512 of a certain file is trusted, it does not have to be signed
> with any keys.
> * There is no API to create or modify this. The Solr build scripts create
> this file at build time and add this to the distro
> see the
> [document|https://docs.google.com/document/d/1n7gB2JAdZhlJKFrCd4Txcw4HDkdk7hlULyAZBS-wXrE/edit#]
> for more details
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
