[security] Download mechanism compromiseable.

[bmarwell]

Hi,

for one, your download mechanism doesn't use maven mechanisms. This means: No https, no checking of checksums or digital signatures. After download, the file could have been altered before execution. You don't do any checking, as far as I can tell.

On the other hand I'd like to be able to use my local proxying / mirroring repository.
With a hardcoded URL this is just not possible:
https://github.com/os72/protoc-jar/blob/master/src/main/java/com/github/os72/protocjar/Protoc.java#L271

I think it would be a wise idea to use the maven API to download artifacts. Can this be done?

[os72]

I guess it could be done, not sure how much effort. Could you prototype it?

[os72]

Re proxying, it's built-in:
https://docs.oracle.com/javase/7/docs/api/java/net/doc-files/net-properties.html#Proxies

Re local mirror, we could add an override (cmd line or property, downloadUrl or something)

Would that work for your environment?

[bmarwell]

Yes, that would also work.
A solution I'm currently using is this:

    <plugins>
      <!-- compile protobuf files -->
      <plugin>
        <groupId>com.github.os72</groupId>
        <artifactId>protoc-jar-maven-plugin</artifactId>
        <version>3.6.0.1</version>
        <configuration>
          <protocVersion>${dependency.protoc.version}</protocVersion>
          <includeStdTypes>true</includeStdTypes>

          <!-- get a special artifact from maven.-->
          <protocArtifact>com.google.protobuf:protoc:${dependency.protoc.version}</protocArtifact>

          <outputTargets>
            <outputTarget>
              <type>java</type>
              <outputDirectory>target/generated-sources/protobuf-java</outputDirectory>
            </outputTarget>
            <outputTarget>
              <type>js</type>
              <outputDirectory>target/generated-sources/protobuf-js</outputDirectory>
            </outputTarget>
            <outputTarget>
              <type>grpc-java</type>
              <pluginArtifact>io.grpc:protoc-gen-grpc-java:${dependency.grpc.version}</pluginArtifact>
              <outputDirectory>target/generated-sources/grpc-java</outputDirectory>
            </outputTarget>
          </outputTargets>
        </configuration>
        <executions>
          <execution>
            <phase>generate-sources</phase>
            <goals>
              <goal>run</goal>
            </goals>
          </execution>
        </executions>
      </plugin>

By specifying the artifact id (group, artifact and version), it will use the standard maven mechanisms. The documentation doesn't say this explicitly. a direct download should be the VERY last resort, especially via https. Why use a proxy if you already have a mirror (which in return has a proxy configured)?

[os72]

Well, part of the question was about proxy. I guess download URL override could be an enhancement

Note that protoc-jar is independent of maven APIs. Which doesn't mean it cannot be improved as suggested (as an option)

[bmarwell]

True… it may be an optional dependency, but I always find Class.forName("") ugly (and therefore should be avoided).

If you make the URL configurable, this would already be helpful. Perhaps a switch to switch direct downloading on and off (thus making the last step optional and fail fast).

[os72]

@bmhm, are you using maven mirror or proxy? settings.xml would be useful
https://maven.apache.org/guides/mini/guide-mirror-settings.html
(See issue #57)

Could you try building this branch
https://github.com/os72/protoc-jar/tree/support_mirror

And run
java -jar protoc-jar-3.7.0.1-SNAPSHOT.jar --version -v351

Thanks

[os72]

Closing, see #57