[isabelle-dev] Broken component: jdk7u40

Lars Hupel hupel at in.tum.de
Tue Sep 17 17:51:17 CEST 2013

> We've had such incidents before with these huge jdk components.  I had
> informed the local administrators about it, but they did not have any idea
> what could be wrong with the http server -- they made a reboot but it did
> not change substantially.  If anyone wants to investigate further --
> welcome.  There is no particular need for me to figure out web server
> problems at TUM.

Just tried downloading again, and the issue has been resolved.

> Just for the sake of scientific honesty, there is also some small chance
> that the perl-based download script of "isabelle components" is
> susceptible to bad versions of perl, wrong C libraries, fragile linux
> distributions, whatever.

The reason why I didn't consider "external" issues is that I was under the
impression that the integrity of the downloaded artifacts is checked
against `Admin/components/components.sha1`, but apparently that is not the
case. Is there a reason for that?

There is also a security concern here: A (random) repository snapshot can
be easily obtained via HTTPS, but downloading the components happens via
(untrusted) HTTP by default, without further integrity checks.

More information about the isabelle-dev mailing list