It should be possible to run any build without a warning. We cannot assume
that every http connection also has a https connection. Maven is only
aware of one URL and that's the one to Central. This has already been
changed to https. Other URL's are specified in the settings.xml, (direct)
pom.xml and dependency-poms. The first two are managed by the end-user, he
has set these values so he already should be aware of these values.
The dependency poms (and plugin poms) are harder to discover and to
control.
For all cases having a repository manager is much easier to control
connections.
If there should be a warning, might be better to write an enforcer-rule
for it and apply it on your own projects.
Robert
On Sat, 08 Oct 2016 00:49:36 +0200, Manfred Moser
<[email protected]> wrote:
The aether code is currently absorbed into Maven so you just need to
hang tight until thats done if you want to propose a code change. But
its right here to the same team.
And regarding the warning ... such a warning would have to be disabled
by default otherwise it would litter the log for many existing builds
causing all sorts of issues. And then I am not sure it makes much sense.
But say you go with a warning you would not want to warn for each
download but only for the first one to avoid excessive logging. So maybe
just warn for each specific repository URL once.
Manfred
Alexander Kjäll wrote on 2016-10-07 15:42:
Thats good feedback, I'll investigate the aether code and propose the
same thing to them.
I agree that some people might want to have their download unsecure,
that's why I think that a warning is an appropriate level of
notification regarding this.
//Alex
2016-10-08 0:16 GMT+02:00 Michael Osipov <[email protected]>:
Am 2016-10-07 um 23:31 schrieb Alexander Kjäll:
Hi
I would like to propose that maven issues a warning when an artifacts
gets downloaded over http instead of https.
The current security model kind of relies on that noone MITM's the
download and replaces the artifact and checksums with something
malicious. That becomes impossible to guarantee when run over a
transport layer that lacks security.
I have attached a very crude patch that implements this behaviour, but
I'm sure it needs to be reworked before it's ready to be merged.
Basically, Aether should handle this, as you might plug other
protocols to
pull from: SFTP, FTPS, DAVS, etc. Additionally, if this happens in a
company, maybe people are quite fine with unsecure only.
To sum up: we should wait when Aether transforms to Maven Artifact
Resolver.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
