[jira] [Commented] (MNG-6673) Deprecate HTTP Download & Upload
[ https://issues.apache.org/jira/browse/MNG-6673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17179181#comment-17179181 ] Michael Osipov commented on MNG-6673: - As with most improvement requests. Most people request, but no one contributes. Nothing implied or officially communicated. No committer had the interest to work on this. In fact, we deliver with Maven Central via HTTPS only. The rest is up to the user. From your point of view, the C programming language should be forbidden. If someone wants to work on it, fine. I'd be happy to reopen, but don't expect us to do anything. > Deprecate HTTP Download & Upload > > > Key: MNG-6673 > URL: https://issues.apache.org/jira/browse/MNG-6673 > Project: Maven > Issue Type: Improvement > Components: Deployment >Reporter: Jonathan Leitschuh >Priority: Major > Labels: SECURITY, security > Attachments: mitm_build.jpeg > > > Some of the most popular Java projects in the JVM ecosystem are vulnerable to > a MITM of their dependencies. This is something that build tools can help > prevent. > Starting in the next release of Maven, Maven should begin warning users about > the use of HTTP to download/upload artifacts to/from artifact servers. > I believe that Maven/Gradle/SBT should require users to opt-out of the > security offered by using HTTPS to download/upload artifacts. > Here's a list of projects that were found to be vulnerable to this: > [https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing] > > > The full description of this industry-wide vulnerability can be found here: > [Want to take over the Java ecosystem? All you need is a > MITM!|https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link=3c99970c55a899ad9ef41f126efcde0e] > !mitm_build.jpeg! > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MNG-6673) Deprecate HTTP Download & Upload
[ https://issues.apache.org/jira/browse/MNG-6673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17179176#comment-17179176 ] Jonathan Leitschuh commented on MNG-6673: - I'm confused, is it now the official stance that security issue that impacted a huge swath of the JVM ecosystem is 'not a problem'? I just want to understand and make sure that I'm understanding what's implied by this status change. > Deprecate HTTP Download & Upload > > > Key: MNG-6673 > URL: https://issues.apache.org/jira/browse/MNG-6673 > Project: Maven > Issue Type: Improvement > Components: Deployment >Reporter: Jonathan Leitschuh >Priority: Major > Labels: SECURITY, security > Attachments: mitm_build.jpeg > > > Some of the most popular Java projects in the JVM ecosystem are vulnerable to > a MITM of their dependencies. This is something that build tools can help > prevent. > Starting in the next release of Maven, Maven should begin warning users about > the use of HTTP to download/upload artifacts to/from artifact servers. > I believe that Maven/Gradle/SBT should require users to opt-out of the > security offered by using HTTPS to download/upload artifacts. > Here's a list of projects that were found to be vulnerable to this: > [https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing] > > > The full description of this industry-wide vulnerability can be found here: > [Want to take over the Java ecosystem? All you need is a > MITM!|https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link=3c99970c55a899ad9ef41f126efcde0e] > !mitm_build.jpeg! > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MNG-6673) Deprecate HTTP Download & Upload
[ https://issues.apache.org/jira/browse/MNG-6673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16893360#comment-16893360 ] Michael Osipov commented on MNG-6673: - This is not a blocker, no need to spread FUD. I bet no one will work on this this year. > Deprecate HTTP Download & Upload > > > Key: MNG-6673 > URL: https://issues.apache.org/jira/browse/MNG-6673 > Project: Maven > Issue Type: Improvement > Components: Deployment >Reporter: Jonathan Leitschuh >Priority: Major > Labels: SECURITY, security > Attachments: mitm_build.jpeg > > > Some of the most popular Java projects in the JVM ecosystem are vulnerable to > a MITM of their dependencies. This is something that build tools can help > prevent. > Starting in the next release of Maven, Maven should begin warning users about > the use of HTTP to download/upload artifacts to/from artifact servers. > I believe that Maven/Gradle/SBT should require users to opt-out of the > security offered by using HTTPS to download/upload artifacts. > Here's a list of projects that were found to be vulnerable to this: > [https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing] > > > The full description of this industry-wide vulnerability can be found here: > [Want to take over the Java ecosystem? All you need is a > MITM!|https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link=3c99970c55a899ad9ef41f126efcde0e] > !mitm_build.jpeg! > -- This message was sent by Atlassian JIRA (v7.6.14#76016)
[jira] [Commented] (MNG-6673) Deprecate HTTP Download & Upload
[ https://issues.apache.org/jira/browse/MNG-6673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16893179#comment-16893179 ] Jonathan Leitschuh commented on MNG-6673: - Has there been any progress made on this serious security vulnerability yet? > Deprecate HTTP Download & Upload > > > Key: MNG-6673 > URL: https://issues.apache.org/jira/browse/MNG-6673 > Project: Maven > Issue Type: Improvement > Components: Deployment >Reporter: Jonathan Leitschuh >Priority: Major > Attachments: mitm_build.jpeg > > > Some of the most popular Java projects in the JVM ecosystem are vulnerable to > a MITM of their dependencies. This is something that build tools can help > prevent. > Starting in the next release of Maven, Maven should begin warning users about > the use of HTTP to download/upload artifacts to/from artifact servers. > I believe that Maven/Gradle/SBT should require users to opt-out of the > security offered by using HTTPS to download/upload artifacts. > Here's a list of projects that were found to be vulnerable to this: > [https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing] > > > The full description of this industry-wide vulnerability can be found here: > [Want to take over the Java ecosystem? All you need is a > MITM!|https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link=3c99970c55a899ad9ef41f126efcde0e] > !mitm_build.jpeg! > -- This message was sent by Atlassian JIRA (v7.6.14#76016)
[jira] [Commented] (MNG-6673) Deprecate HTTP Download & Upload
[ https://issues.apache.org/jira/browse/MNG-6673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16860314#comment-16860314 ] Jonathan Leitschuh commented on MNG-6673: - I've updated the original description of this issue to link to the published blog post. > Deprecate HTTP Download & Upload > > > Key: MNG-6673 > URL: https://issues.apache.org/jira/browse/MNG-6673 > Project: Maven > Issue Type: Improvement > Components: Deployment >Reporter: Jonathan Leitschuh >Priority: Major > Attachments: mitm_build.jpeg > > > Some of the most popular Java projects in the JVM ecosystem are vulnerable to > a MITM of their dependencies. This is something that build tools can help > prevent. > Starting in the next release of Maven, Maven should begin warning users about > the use of HTTP to download/upload artifacts to/from artifact servers. > I believe that Maven/Gradle/SBT should require users to opt-out of the > security offered by using HTTPS to download/upload artifacts. > Here's a list of projects that were found to be vulnerable to this: > [https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing] > This issue will be updated later today to link to the public disclosure of > this industry-wide vulnerability. > > The full description of this industry-wide vulnerability can be found here: > [Want to take over the Java ecosystem? All you need is a > MITM!|https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link=3c99970c55a899ad9ef41f126efcde0e] > !mitm_build.jpeg! > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MNG-6673) Deprecate HTTP Download & Upload
[ https://issues.apache.org/jira/browse/MNG-6673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16860278#comment-16860278 ] Michael Osipov commented on MNG-6673: - Not to forget site deployment, SCM interaction, etc. > Deprecate HTTP Download & Upload > > > Key: MNG-6673 > URL: https://issues.apache.org/jira/browse/MNG-6673 > Project: Maven > Issue Type: Improvement > Components: Deployment >Reporter: Jonathan Leitschuh >Priority: Major > > Some of the most popular Java projects in the JVM ecosystem are vulnerable to > a MITM of their dependencies. This is something that build tools can help > prevent. > Starting in the next release of Maven, Maven should begin warning users about > the use of HTTP to download/upload artifacts to/from artifact servers. > I believe that Maven/Gradle/SBT should require users to opt-out of the > security offered by using HTTPS to download/upload artifacts. > Here's a list of projects that were found to be vulnerable to this: > [https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing] > This issue will be updated later today to link to the public disclosure of > this industry-wide vulnerability. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MNG-6673) Deprecate HTTP Download & Upload
[
https://issues.apache.org/jira/browse/MNG-6673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16860273#comment-16860273
]
Michael Osipov commented on MNG-6673:
-
Beside that this is completely paranoid to me (there is also FTP, but rare),
there is no single, consistent way in Maven and our plugins where transfers
happen. Some use Wagon (HttpClient), some HttpClient directly, some
{{UrlConnection}} go figure how much work this will be and how it should
consistently look like.
> Deprecate HTTP Download & Upload
>
>
> Key: MNG-6673
> URL: https://issues.apache.org/jira/browse/MNG-6673
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
>Reporter: Jonathan Leitschuh
>Priority: Major
>
> Some of the most popular Java projects in the JVM ecosystem are vulnerable to
> a MITM of their dependencies. This is something that build tools can help
> prevent.
> Starting in the next release of Maven, Maven should begin warning users about
> the use of HTTP to download/upload artifacts to/from artifact servers.
> I believe that Maven/Gradle/SBT should require users to opt-out of the
> security offered by using HTTPS to download/upload artifacts.
> Here's a list of projects that were found to be vulnerable to this:
> [https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing]
> This issue will be updated later today to link to the public disclosure of
> this industry-wide vulnerability.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MNG-6673) Deprecate HTTP Download & Upload
[ https://issues.apache.org/jira/browse/MNG-6673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16860272#comment-16860272 ] Joel Orlina commented on MNG-6673: -- Sonatype provided some preliminary details on our plans/schedule for Maven Central in this blog post: https://central.sonatype.org/articles/2019/Apr/30/http-access-to-repo1mavenorg-and-repomavenapacheorg-is-being-deprecated/ > Deprecate HTTP Download & Upload > > > Key: MNG-6673 > URL: https://issues.apache.org/jira/browse/MNG-6673 > Project: Maven > Issue Type: Improvement > Components: Deployment >Reporter: Jonathan Leitschuh >Priority: Major > > Some of the most popular Java projects in the JVM ecosystem are vulnerable to > a MITM of their dependencies. This is something that build tools can help > prevent. > Starting in the next release of Maven, Maven should begin warning users about > the use of HTTP to download/upload artifacts to/from artifact servers. > I believe that Maven/Gradle/SBT should require users to opt-out of the > security offered by using HTTPS to download/upload artifacts. > Here's a list of projects that were found to be vulnerable to this: > [https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing] > This issue will be updated later today to link to the public disclosure of > this industry-wide vulnerability. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
