A user with Maven pre-3.2.3 can configure the Maven Central URL to use HTTPS by setting up a mirror in their settings.xml.
http://maven.apache.org/guides/mini/guide-mirror-settings.html Josh, is your concern that folks won't be able to upgrade to 3.2.3? On Sun, Aug 17, 2014 at 5:41 PM, Josh Elser <[email protected]> wrote: > I see a massive headache incoming doing this. Is there a middle ground we > can encourage people to use that isn't going to break everyone downstream? > > Can we make some recommendations to clients about how to use HTTPS instead > of HTTP access to avoid the MITM attack (which I assume is the primary > reason for suggesting the update). > > > On 8/17/2014 4:57 PM, Sean Busbey wrote: > >> Now that Maven has released version 3.2.3 to default HTTPS access to maven >> central, anyone have an objection to updating our enforcer rules to >> require >> it? >> >> http://maven.apache.org/docs/3.2.3/release-notes.html >> >> -- // Bill Havanki // Solutions Architect, Cloudera Govt Solutions // 443.686.9283
