RFR: 8331164: createJMHBundle.sh download jars fail when url needed to be redirected
Erik Joelsson
erikj at openjdk.org
Fri Apr 26 12:45:36 UTC 2024
On Fri, 26 Apr 2024 11:30:24 GMT, Jaikiran Pai <jpai at openjdk.org> wrote:
> Adding `-L` (follow redirects) to unconditionally follow redirects doesn't look right to me. I think, one would want to know, during the build process, if any URLs that are in use (like this one) have changed their location and then decide if the build script should be updated to point to the new URL. I'll let the build team decide if this is OK to change. I don't know anything about the server (Maven mirror?) you are using that's generating this redirect, to suggest a workaround.
The script already falls back on wget if curl isn't found and that will AFAIK follow redirects by default. If we want to secure the download, we should add checksums in the script for each jar being downloaded. I don't think inconveniencing the download is the right approach for improving security.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/18965#issuecomment-2079313636
More information about the build-dev
mailing list