Open keith-turner opened 6 years ago
blueshift-brasil
commented
6 years ago Just a question about this.
Do you think we can use the md5 file downloaded from Apache website or check in hardcoded way like this:
RUN curl -sSL -o redis.tar.gz \ http://download.redis.io/releases/redis-3.0.1.tar.gz \ && echo "fe1d06599042bfe6a0e738542f302ce9533dde88 *redis.tar.gz" \ | sha1sum -c -
ctubbsii
commented
6 years ago I kind of like the hard-coded way best. We declare a specific version, so we should know what the expected checksum is for that particular version. This is what https://github.com/astralway/uno does, and it's a similar strategy to the W3C's subresource integrity checks for utilizing resources from CDNs: https://w3c.github.io/webappsec-subresource-integrity/
ctubbsii
commented
6 years ago Oh, also, the hardcoded solution saves us from accessing the apache.org site when not needed, which is the whole point of utilizing the mirrors.
keith-turner
commented
6 years ago I think the hardcoded solution is ok.
blueshift-brasil
commented
6 years ago Done!
The docker build file downloads Hadoop, Zookeeper, and Accumulo from Apache mirrors. It would be nice to directly download the expected checksums directly from Apache (using https) and verify the files.