That'd take getting something malicious onto my machine, or sniffing the bluetooth packets from the keyboard to laptop. Though they'd need the pin number to unlock the key, which I have to type in whenever the laptop wakes up and I want to sign something. If they could do that, they could commit malicious code into Hadoop itself, even signing those commits with the same GPG key. Someone malicious would need physical access to my office to sign artifacts under my name. The same pubikey key is used for 2FA to github, for uploading artifacts and making the release. The latest GPG key (E7E4 26DF 6228 1B63 D679 6A81 950C C3E0 32B7 9CA2) actually lives on a yubikey for physical security the signing takes place there.My keys are published on the ASF committer keylist under my username.If I wanted to run anything on your systems, I'd be able to add the code into Hadoop itself. I am the Hadoop committer " stevel": I have nothing to gain by creating malicious versions of these binaries.Thanks Security: can you trust this release? These libs on Windows systems just to run Spark & similar locally, file a JIRA on Apache, then a PR against apache/hadoop. If someone wants to do some effort into cutting the need for Libs except in the special case that you are doing file permissions work. If you want more current binaries, please go there.ĭo note that given some effort it should be possible to avoid the Hadoop file:// classes (Local and RawLocal) to need the hadoop native I've been too busy with things to work on this for a long time, so I'm grateful for cdarlint to take up this work: If this works for you, no need for winutils at all! Status: Go to cdarlint/winutils for current artifacts
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |