How does securely obtain and verify openjdk repositories as a non-contributor?
David Black
dblack at atlassian.com
Fri Aug 31 01:32:22 UTC 2018
Hi,
I am asking this because I am not able to find information on if
openjdk uses signed tags/commits & because those of us without commit
access cannot use ssh to clone the openjdk mercurial repositories
hosted on http://hg.openjdk.java.net/ . Also, hg.openjdk.java.net is
not available over https. As a result it appears to me that projects
like AdoptOpenJDK have to insecurely obtain openjdk sources over
http[0].
Thank you in advance.
[0] https://github.com/AdoptOpenJDK/openjdk-build/blob/master/git-hg/update-without-modules.sh#L36
--
David Black / Security Engineer.
More information about the security-dev
mailing list