Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to HTTPS in freshly downloaded Fijis ? #83

Closed
haesleinhuepf opened this issue Nov 19, 2019 · 11 comments
Closed

Upgrade to HTTPS in freshly downloaded Fijis ? #83

haesleinhuepf opened this issue Nov 19, 2019 · 11 comments
Assignees
@hinerm

Comments

@haesleinhuepf
Copy link
Member

Hey all, hey @frauzufall and @ctrueden ,

while visiting a collaborator, we just realized: When downloading a new Fiji and updating it, it asks to upgrade all update sites to HTTPS. This message is a bit annoying and deterrent for new users. Is there a way that freshly downloaded Fijis come with HTTPS update sites pre-configured?

Thanks!

Cheers,
Robert
@ctrueden
Copy link
Member

I was wondering that, too!

@frauzufall Do you know why it isn't already up-to-date?

@frauzufall
Copy link
Member

I tried a couple of times to figure it out, I looked at the code here and the build script and asked gitter and @turekg, but without success. Thanks for creating the issue, @haesleinhuepf , I should have done right away. I pan to spend some time with the updater next week, will also look at this again. Any hints appreciated!

@frauzufall
Copy link
Member

frauzufall commented Nov 21, 2019
edited
Loading

I had another look with @turekg and the source for this issue is probably in the bootstap.js file (this line). I ignored this file so far, but the build script is calling it, I'll adjust it.

@ctrueden
Copy link
Member

Ah, good catch, @frauzufall!

If we could improve the scijava-maven-plugin to build a fully functional Fiji.app from scratch, we would no longer need bootstrap.js for that purpose. (It is still conceivably useful for transforming an ImageJ1 installation into ImageJ2, but in practice no one uses this and it hasn't been tested in years.) We'd need to solve at least scijava/scijava-maven-plugin#17 and scijava/scijava-maven-plugin#19, and also do something to enable copying of the native launcher(s) into the application root directory. This has been a goal for a long time but I have no time to work on it. Would you and/or @turekg have bandwidth?

@turekg
Copy link

turekg commented Nov 28, 2019
edited
Loading

Wouldn't mind looking into it, I will put it in my TODO list....

@frauzufall
Copy link
Member

So it's not just this one line, that's only the Fiji URL, the main URL seems to come from these outdated JARs which are used to run an updater command line instance. Looking at the rest of the code, I am not sure what will happen if we update these JAR versions as well. At the end of the script, the updater is updated - it might be easier to add another line at the end to update the URLs via command line updater until we get rid of the script.

@turekg
Copy link

turekg commented Dec 6, 2019

Happy to dig into this a bit deeper, but for expedience sake Debo's fix could be a first step

@ctrueden
Copy link
Member

ctrueden commented Dec 6, 2019
edited
Loading

In the past, Johannes would occasionally update the versions in bootstrap.js. He only did it when he was confident the new combination of JARs was working well, though, because non-working combinations there break the remote updater. It's probably safe for us to update them to a newer version. Although we need to be careful: is there still bootstrap.js vs. bootstrapJ8.js? And will it break Java 6 installations of Fiji if we change it? And do we care?

frauzufall added a commit that referenced this issue May 17, 2020
@frauzufall
bootstrap.js: update to HTTPS, add Java-8 update site #83
e1d66c7
@frauzufall frauzufall mentioned this issue May 17, 2020
Closed
@imagesc-bot
Copy link

This issue has been mentioned on Image.sc Forum. There might be relevant details there:

https://forum.image.sc/t/https-to-make-imagej-fiji-more-secure/398/29

@ctrueden
Copy link
Member

The fiji-builds job now no longer uses the JavaScript bootstrap script. Instead, it:

  1. Bootstraps the Fiji installation using mvn scijava:populate-app (against the fiji/fiji master branch, which as of this writing is pom-scijava 29.0.0-beta-3 artifact versions, plus an updated imagej-updater 0.10.5 to work around critical updater bug Deleting classpath entries during execution can crash the Updater #88);
  2. Manually downloads all the ImageJ launchers (currently hardcoded at version 5.0.3);
  3. Invokes the command line Updater via the launcher to update to match what's on the three core update sites;
  4. Bundles everything up using fiji.packager.Packager (but see Decide whether to update the Fiji Package Maker, or move away from it fiji/fiji-builds#4).

As of this writing, the db.xml.gz of the available bundles now says:

<update-site name="ImageJ" url="https://update.imagej.net/" official="true" timestamp="20190325155938"/>
<update-site name="Fiji" url="https://update.fiji.sc/" official="false" timestamp="20200225164457"/>
<update-site name="Java-8" url="https://sites.imagej.net/Java-8/" official="false" timestamp="20200705214732"/>

@frauzufall @haesleinhuepf So, can this issue be closed now? I.e., when you download a fresh Fiji and run it for the first time and try to update it, does it still prompt to update HTTP to HTTPS? Or not?

@haesleinhuepf
Copy link
Member Author

Hey @ctrueden ,

I just downloaded a fresh Fiji (Windows version) and tried. The message is gone. Thanks a lot for your work on this!

Happily closing the issue right now.

Cheers,
Robert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hinerm hinerm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ctrueden @frauzufall @hinerm @haesleinhuepf @turekg @imagesc-bot