Thats good feedback, I'll investigate the aether code and propose the same thing to them.
I agree that some people might want to have their download unsecure, that's why I think that a warning is an appropriate level of notification regarding this. //Alex 2016-10-08 0:16 GMT+02:00 Michael Osipov <[email protected]>: > Am 2016-10-07 um 23:31 schrieb Alexander Kjäll: >> >> Hi >> >> I would like to propose that maven issues a warning when an artifacts >> gets downloaded over http instead of https. >> >> The current security model kind of relies on that noone MITM's the >> download and replaces the artifact and checksums with something >> malicious. That becomes impossible to guarantee when run over a >> transport layer that lacks security. >> >> I have attached a very crude patch that implements this behaviour, but >> I'm sure it needs to be reworked before it's ready to be merged. > > > Basically, Aether should handle this, as you might plug other protocols to > pull from: SFTP, FTPS, DAVS, etc. Additionally, if this happens in a > company, maybe people are quite fine with unsecure only. > > To sum up: we should wait when Aether transforms to Maven Artifact Resolver. > > Michael > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
