Am 2016-10-07 um 23:31 schrieb Alexander Kjäll:
Hi
I would like to propose that maven issues a warning when an artifacts
gets downloaded over http instead of https.
The current security model kind of relies on that noone MITM's the
download and replaces the artifact and checksums with something
malicious. That becomes impossible to guarantee when run over a
transport layer that lacks security.
I have attached a very crude patch that implements this behaviour, but
I'm sure it needs to be reworked before it's ready to be merged.
Basically, Aether should handle this, as you might plug other protocols
to pull from: SFTP, FTPS, DAVS, etc. Additionally, if this happens in a
company, maybe people are quite fine with unsecure only.
To sum up: we should wait when Aether transforms to Maven Artifact Resolver.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
