fix: use archive.apache.org for Cassandra downloads#99
Conversation
dlcdn.apache.org removes old patch versions when new ones are released, which broke CI when 5.0.7 replaced 5.0.6. Switch to archive.apache.org which retains all versions permanently. Bump to 5.0.7 and add SHA256 checksum verification.
There was a problem hiding this comment.
Pull request overview
Updates the scenario prerequisites installer to fetch Apache Cassandra from the Apache archive (to avoid disappearing patch releases) and adds integrity verification for the downloaded tarball.
Changes:
- Switch Cassandra download source from
dlcdn.apache.orgtoarchive.apache.org. - Bump Cassandra from
5.0.6to5.0.7. - Add SHA-256 checksum verification of the downloaded Cassandra tarball.
| CASSANDRA_VERSION="5.0.7" | ||
| CASSANDRA_SHA256="556be693f1941aeb8ec1538fe6224cbefdca7bc3729f87ff0e24a0052eb98c33" | ||
| PYTHON_VERSION="3.11.10" | ||
| PYENV_ROOT="${PYENV_ROOT:-$HOME/.pyenv}" | ||
| PYTHON_BIN="${PYENV_ROOT}/versions/${PYTHON_VERSION}/bin/python3" | ||
| CASSANDRA_URL="https://dlcdn.apache.org/cassandra/${CASSANDRA_VERSION}/apache-cassandra-${CASSANDRA_VERSION}-bin.tar.gz" | ||
| CASSANDRA_URL="https://archive.apache.org/dist/cassandra/${CASSANDRA_VERSION}/apache-cassandra-${CASSANDRA_VERSION}-bin.tar.gz" |
There was a problem hiding this comment.
CASSANDRA_VERSION was bumped here to 5.0.7, but scenarios/test_caching_subsystem.py still hardcodes CASSANDRA_VERSION = "5.0.6" when constructing CASSANDRA_HOME, so it will fail to find cqlsh after this script installs 5.0.7. Update the scenario to match (or better, derive the version from a single source) so CI/dev runs stay consistent.
| TARBALL="${CASSANDRA_DIR}/apache-cassandra-${CASSANDRA_VERSION}-bin.tar.gz" | ||
| curl -fL -o "$TARBALL" "$CASSANDRA_URL" | ||
| verify_checksum "$TARBALL" "$CASSANDRA_SHA256" | ||
| tar -xzf "$TARBALL" -C "$CASSANDRA_DIR" |
There was a problem hiding this comment.
The new checksum verification relies on sha256sum, but this script doesn’t check that the command exists (and it’s not available by default on some platforms like macOS). Consider validating the tool up front and/or using a portable fallback (e.g., shasum -a 256 or openssl dgst -sha256) so the script fails with a clear message instead of a generic command-not-found error.
dlcdn.apache.org removes old patch versions when new ones are released,
which broke CI when 5.0.7 replaced 5.0.6. Switch to archive.apache.org
which retains all versions permanently. Bump to 5.0.7 and add SHA256
checksum verification.