How does securely obtain and verify openjdk repositories as a non-contributor?
Bradford Wetmore
bradford.wetmore at oracle.com
Fri Aug 31 18:16:22 UTC 2018
I would suggest contacting ops at openjdk.java.net, they should be able to
answer these kinds of infrastructure questions.
Best wishes,
Brad
On 8/30/2018 6:32 PM, David Black wrote:
> Hi,
> I am asking this because I am not able to find information on if
> openjdk uses signed tags/commits & because those of us without commit
> access cannot use ssh to clone the openjdk mercurial repositories
> hosted on http://hg.openjdk.java.net/ . Also, hg.openjdk.java.net is
> not available over https. As a result it appears to me that projects
> like AdoptOpenJDK have to insecurely obtain openjdk sources over
> http[0].
>
>
>
> Thank you in advance.
>
>
> [0] https://github.com/AdoptOpenJDK/openjdk-build/blob/master/git-hg/update-without-modules.sh#L36
>
More information about the security-dev
mailing list