We could just update our developer docs to strongly suggest updating to Maven 3.2.3, if we don't want to force it.
What kind of downstream issues are you expecting? AFAIK, the enforcer section for the pom only gets used when building our repo, not when building a project that uses us as a dep. On Mon, Aug 18, 2014 at 9:41 AM, Josh Elser <[email protected]> wrote: > Yes - exactly. > > Doing it in master only may alleviate some of the worry, but I imagine it > would still cause headache. For something that is already configurable by > <3.2.3 by users who want it, I can't get behind forcing a newer version to > just to get the default action changed. > > > On 8/18/14, 9:01 AM, Bill Havanki wrote: > >> A user with Maven pre-3.2.3 can configure the Maven Central URL to use >> HTTPS by setting up a mirror in their settings.xml. >> >> http://maven.apache.org/guides/mini/guide-mirror-settings.html >> >> Josh, is your concern that folks won't be able to upgrade to 3.2.3? >> >> >> On Sun, Aug 17, 2014 at 5:41 PM, Josh Elser <[email protected]> wrote: >> >> I see a massive headache incoming doing this. Is there a middle ground we >>> can encourage people to use that isn't going to break everyone >>> downstream? >>> >>> Can we make some recommendations to clients about how to use HTTPS >>> instead >>> of HTTP access to avoid the MITM attack (which I assume is the primary >>> reason for suggesting the update). >>> >>> >>> On 8/17/2014 4:57 PM, Sean Busbey wrote: >>> >>> Now that Maven has released version 3.2.3 to default HTTPS access to >>>> maven >>>> central, anyone have an objection to updating our enforcer rules to >>>> require >>>> it? >>>> >>>> http://maven.apache.org/docs/3.2.3/release-notes.html >>>> >>>> >>>> >> >> -- Sean
