[isabelle-dev] Broken component: jdk7u40
Lars Hupel
hupel at in.tum.de
Tue Sep 17 17:51:17 CEST 2013
> We've had such incidents before with these huge jdk components. I had
> informed the local administrators about it, but they did not have any idea
> what could be wrong with the http server -- they made a reboot but it did
> not change substantially. If anyone wants to investigate further --
> welcome. There is no particular need for me to figure out web server
> problems at TUM.
Just tried downloading again, and the issue has been resolved.
> Just for the sake of scientific honesty, there is also some small chance
> that the perl-based download script of "isabelle components" is
> susceptible to bad versions of perl, wrong C libraries, fragile linux
> distributions, whatever.
The reason why I didn't consider "external" issues is that I was under the
impression that the integrity of the downloaded artifacts is checked
against `Admin/components/components.sha1`, but apparently that is not the
case. Is there a reason for that?
There is also a security concern here: A (random) repository snapshot can
be easily obtained via HTTPS, but downloading the components happens via
(untrusted) HTTP by default, without further integrity checks.
More information about the isabelle-dev
mailing list