[ 
https://issues.apache.org/jira/browse/MRESOLVER-52?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16568287#comment-16568287
 ] 

Elliotte Rusty Harold commented on MRESOLVER-52:
------------------------------------------------

This happened in my own program that depends on the Maven resolver library. 
That is, I was not using Maven directly. This PR has the current state of that 
code:

https://github.com/GoogleCloudPlatform/cloud-opensource-java/pull/32

My own dependencies should be at or at most 0.0.1 version behind the current 
releases. 

I'm not sure if ~/.m2 applies in these circumstances. Either way it doesn't 
have any customizations.


> https for artifact resolution
> -----------------------------
>
>                 Key: MRESOLVER-52
>                 URL: https://issues.apache.org/jira/browse/MRESOLVER-52
>             Project: Maven Resolver
>          Issue Type: Bug
>          Components: resolver
>    Affects Versions: Maven Artifact Resolver 1.1.1
>            Reporter: Elliotte Rusty Harold
>            Priority: Major
>
> Here's an exception I saw recently:
> Caused by: org.eclipse.aether.transfer.ArtifactTransferException: Could not 
> transfer artifact com.google.auth:google-auth-library-credentials:pom:0.4.0 
> from/to central (http://repo1.maven.org/maven2/): repo1.maven.org: nodename 
> nor servname provided, or not known
> The exception is probably a glitch in my network or DNS. Not resolver's fault 
> and no big deal. However the message surprised me. Why 
> *http*://repo1.maven.org/maven2/ and not *https*://repo1.maven.org/maven2/?
> One of three things is likely happening here:
> 1. Resolver is really using http instead of https to transfer artifacts. This 
> is a major issue, and should be fixed.
> 2. It's using https to transfer, but is forming the URL in the error message 
> by string concatenation with "http", which is not critical but should still 
> be fixed. 
> 3. It's relying on repo1 to redirect to https, which it seems to do; but 
> shouldn't be required since this leaves the connection vulnerable to MITM.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to