[ https://issues.apache.org/jira/browse/MNG-6673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16860278#comment-16860278 ]
Michael Osipov commented on MNG-6673: ------------------------------------- Not to forget site deployment, SCM interaction, etc. > Deprecate HTTP Download & Upload > -------------------------------- > > Key: MNG-6673 > URL: https://issues.apache.org/jira/browse/MNG-6673 > Project: Maven > Issue Type: Improvement > Components: Deployment > Reporter: Jonathan Leitschuh > Priority: Major > > Some of the most popular Java projects in the JVM ecosystem are vulnerable to > a MITM of their dependencies. This is something that build tools can help > prevent. > Starting in the next release of Maven, Maven should begin warning users about > the use of HTTP to download/upload artifacts to/from artifact servers. > I believe that Maven/Gradle/SBT should require users to opt-out of the > security offered by using HTTPS to download/upload artifacts. > Here's a list of projects that were found to be vulnerable to this: > [https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing] > This issue will be updated later today to link to the public disclosure of > this industry-wide vulnerability. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)