Yes - exactly.
Doing it in master only may alleviate some of the worry, but I imagine
it would still cause headache. For something that is already
configurable by <3.2.3 by users who want it, I can't get behind forcing
a newer version to just to get the default action changed.
On 8/18/14, 9:01 AM, Bill Havanki wrote:
A user with Maven pre-3.2.3 can configure the Maven Central URL to use
HTTPS by setting up a mirror in their settings.xml.
http://maven.apache.org/guides/mini/guide-mirror-settings.html
Josh, is your concern that folks won't be able to upgrade to 3.2.3?
On Sun, Aug 17, 2014 at 5:41 PM, Josh Elser <[email protected]> wrote:
I see a massive headache incoming doing this. Is there a middle ground we
can encourage people to use that isn't going to break everyone downstream?
Can we make some recommendations to clients about how to use HTTPS instead
of HTTP access to avoid the MITM attack (which I assume is the primary
reason for suggesting the update).
On 8/17/2014 4:57 PM, Sean Busbey wrote:
Now that Maven has released version 3.2.3 to default HTTPS access to maven
central, anyone have an objection to updating our enforcer rules to
require
it?
http://maven.apache.org/docs/3.2.3/release-notes.html
