在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
开源软件名称:steveloughran/winutils开源软件地址:https://github.com/steveloughran/winutils开源编程语言:Shell 52.6%开源软件介绍:winutilsWindows binaries for Hadoop versions These are built directly from the same git commit used to create the official ASF releases; they are checked out and built on a windows VM which is dedicated purely to testing Hadoop/YARN apps on Windows. It is not a day-to-day used system so is isolated from driveby/email security attacks. Status: Go to cdarlint/winutils for current artifactsI've been too busy with things to work on this for a long time, so I'm grateful for cdarlint to take up this work: cdarlint/winutils. If you want more current binaries, please go there. Do note that given some effort it should be possible to avoid the Hadoop Security: can you trust this release?
Someone malicious would need physical access to my office to sign artifacts under my name. If they could do that, they could commit malicious code into Hadoop itself, even signing those commits with the same GPG key. Though they'd need the pin number to unlock the key, which I have to type in whenever the laptop wakes up and I want to sign something. That'd take getting something malicious onto my machine, or sniffing the bluetooth packets from the keyboard to laptop. Were someone to get physical access to my machine, they could probably install a malicous version of The other tactic would have been for a malicious yubikey to end up being delivered by Amazon to my house. I don't have any defences against anyone going to that level of effort. 2017-12 Update That key has been revoked, though it was never actually compromised. Lack of randomness in the prime number generator on the yubikey, hence an emergency cancel session. Not set things up properly again. Note: Artifacts prior to Hadoop 2.8.0-RC3 [were signed with a different key](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xA92454F9174786B4; again, on the ASF key list. Build ProcessA dedicated Windows Server 2012 VM is used for building and testing Hadoop stack artifacts. It is not used for anything else. This uses a VS build setup from 2010; compiler and linker version: 16.00.30319.01 for x64
Maven 3.3.9 was used; signature checked to be that of [email protected]. While my key list doesn't directly trust that signature, I do trust that of other signatorees: https://pgp.mit.edu/pks/lookup?op=vindex&search=0xC7BF26D0BB617866
Java 1.8:
release processWindows VMIn The version to build is checked out from the declared SHA1 checksum of the release/RC, hopefully moving to signed tags once signing becomes more common there. The build was executed, relying on the fact that the
This creates a distribution, with the native binaries under
Create a zip file containing the contents of the Host machine: Sign everythingPull down the newly added files from github, then sign the binary ones and push the .asc signatures back. There isn't a way to sign multiple files in gpg2 on the command line, so it's either write a loop in bash or just edit the line and let path completion simplify your life. Here's the list of sign commands:
verify the existence of files, then
Then go to the directory with the zip file and sign that file too
github, create the release
|
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论