How does securely obtain and verify openjdk repositories as a non-contributor?

David Black dblack at atlassian.com
Fri Aug 31 01:32:22 UTC 2018


Hi,
I am asking this because I am not able to find information on if
openjdk uses signed tags/commits & because those of us without commit
access cannot use ssh to clone the openjdk mercurial repositories
hosted on http://hg.openjdk.java.net/ . Also, hg.openjdk.java.net is
not available over https. As a result it appears to me that projects
like AdoptOpenJDK have to insecurely obtain openjdk sources over
http[0].



Thank you in advance.


[0] https://github.com/AdoptOpenJDK/openjdk-build/blob/master/git-hg/update-without-modules.sh#L36
-- 
David Black / Security Engineer.



More information about the security-dev mailing list