[
https://issues.apache.org/jira/browse/GIRAPH-1120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Olaf Flebbe updated GIRAPH-1120:
--------------------------------
Attachment: 0001-GIRAPH-1120-Insecure-repository-configuration.patch
My proposed patch. The default repository configuration is sufficient for the
default profile.
If you do not like this patch, please at least change the http:// uri to
https:// repos.
> Insecure repository configuration
> ----------------------------------
>
> Key: GIRAPH-1120
> URL: https://issues.apache.org/jira/browse/GIRAPH-1120
> Project: Giraph
> Issue Type: Bug
> Components: build
> Affects Versions: 1.2.0-SNAPSHOT
> Reporter: Olaf Flebbe
> Attachments: 0001-GIRAPH-1120-Insecure-repository-configuration.patch
>
>
> Hi, the repository configuration of giraph is dangerous, since it is
> susceptible for mitm attacks.
> {code}
> <repositories>
> <repository>
> <id>central</id>
> <url>http://repo1.maven.org/maven2</url>
> <releases>
> <enabled>true</enabled>
> </releases>
> </repository>
> ...
> {code}
> If one looks closer, no repository is needed to be configured since
> everything from the default profile is in maven central.
> If anything from a non-default profile is not found in maven central, it
> should be moved to the respective profile. For instance the CDH artifact
> repository should be moved to the cdh hadoop_cdh4.1.2 profile.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
