Verify checksums for files downloaded from Apache mirrors

[keith-turner]

The docker build file downloads Hadoop, Zookeeper, and Accumulo from Apache mirrors. It would be nice to directly download the expected checksums directly from Apache (using https) and verify the files.

[blueshift-brasil]

Just a question about this.
Do you think we can use the md5 file downloaded from Apache website or check in hardcoded way like this:
RUN curl -sSL -o redis.tar.gz \ http://download.redis.io/releases/redis-3.0.1.tar.gz \ && echo "fe1d06599042bfe6a0e738542f302ce9533dde88 *redis.tar.gz" \ | sha1sum -c -

[ctubbsii]

I kind of like the hard-coded way best. We declare a specific version, so we should know what the expected checksum is for that particular version. This is what https://github.com/astralway/uno does, and it's a similar strategy to the W3C's subresource integrity checks for utilizing resources from CDNs: https://w3c.github.io/webappsec-subresource-integrity/

[ctubbsii]

Oh, also, the hardcoded solution saves us from accessing the apache.org site when not needed, which is the whole point of utilizing the mirrors.

[keith-turner]

I think the hardcoded solution is ok.

[blueshift-brasil]

Done!