[
https://issues.apache.org/jira/browse/MRESOLVER-52?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16592094#comment-16592094
]
Michael Osipov commented on MRESOLVER-52:
-----------------------------------------
Unless we see your configuration and Maven version, I'd say that this one is
invalid.
> https for artifact resolution
> -----------------------------
>
> Key: MRESOLVER-52
> URL: https://issues.apache.org/jira/browse/MRESOLVER-52
> Project: Maven Resolver
> Issue Type: Bug
> Components: resolver
> Affects Versions: Maven Artifact Resolver 1.1.1
> Reporter: Elliotte Rusty Harold
> Priority: Major
>
> Here's an exception I saw recently:
> Caused by: org.eclipse.aether.transfer.ArtifactTransferException: Could not
> transfer artifact com.google.auth:google-auth-library-credentials:pom:0.4.0
> from/to central (http://repo1.maven.org/maven2/): repo1.maven.org: nodename
> nor servname provided, or not known
> The exception is probably a glitch in my network or DNS. Not resolver's fault
> and no big deal. However the message surprised me. Why
> *http*://repo1.maven.org/maven2/ and not *https*://repo1.maven.org/maven2/?
> One of three things is likely happening here:
> 1. Resolver is really using http instead of https to transfer artifacts. This
> is a major issue, and should be fixed.
> 2. It's using https to transfer, but is forming the URL in the error message
> by string concatenation with "http", which is not critical but should still
> be fixed.
> 3. It's relying on repo1 to redirect to https, which it seems to do; but
> shouldn't be required since this leaves the connection vulnerable to MITM.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
