[jira] [Commented] (MRESOLVER-52) https for artifact resolution
[ https://issues.apache.org/jira/browse/MRESOLVER-52?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16592094#comment-16592094 ] Michael Osipov commented on MRESOLVER-52: - Unless we see your configuration and Maven version, I'd say that this one is invalid. > https for artifact resolution > - > > Key: MRESOLVER-52 > URL: https://issues.apache.org/jira/browse/MRESOLVER-52 > Project: Maven Resolver > Issue Type: Bug > Components: resolver >Affects Versions: Maven Artifact Resolver 1.1.1 >Reporter: Elliotte Rusty Harold >Priority: Major > > Here's an exception I saw recently: > Caused by: org.eclipse.aether.transfer.ArtifactTransferException: Could not > transfer artifact com.google.auth:google-auth-library-credentials:pom:0.4.0 > from/to central (http://repo1.maven.org/maven2/): repo1.maven.org: nodename > nor servname provided, or not known > The exception is probably a glitch in my network or DNS. Not resolver's fault > and no big deal. However the message surprised me. Why > *http*://repo1.maven.org/maven2/ and not *https*://repo1.maven.org/maven2/? > One of three things is likely happening here: > 1. Resolver is really using http instead of https to transfer artifacts. This > is a major issue, and should be fixed. > 2. It's using https to transfer, but is forming the URL in the error message > by string concatenation with "http", which is not critical but should still > be fixed. > 3. It's relying on repo1 to redirect to https, which it seems to do; but > shouldn't be required since this leaves the connection vulnerable to MITM. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MRESOLVER-52) https for artifact resolution
[ https://issues.apache.org/jira/browse/MRESOLVER-52?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16568315#comment-16568315 ] Robert Scholte commented on MRESOLVER-52: - Could it be that one of the dependencies has specified this repository in their pom? Artifact Resolver is not aware of Maven Central, it must be fed with all remote repositories, either by the user or via pom configuration. > https for artifact resolution > - > > Key: MRESOLVER-52 > URL: https://issues.apache.org/jira/browse/MRESOLVER-52 > Project: Maven Resolver > Issue Type: Bug > Components: resolver >Affects Versions: Maven Artifact Resolver 1.1.1 >Reporter: Elliotte Rusty Harold >Priority: Major > > Here's an exception I saw recently: > Caused by: org.eclipse.aether.transfer.ArtifactTransferException: Could not > transfer artifact com.google.auth:google-auth-library-credentials:pom:0.4.0 > from/to central (http://repo1.maven.org/maven2/): repo1.maven.org: nodename > nor servname provided, or not known > The exception is probably a glitch in my network or DNS. Not resolver's fault > and no big deal. However the message surprised me. Why > *http*://repo1.maven.org/maven2/ and not *https*://repo1.maven.org/maven2/? > One of three things is likely happening here: > 1. Resolver is really using http instead of https to transfer artifacts. This > is a major issue, and should be fixed. > 2. It's using https to transfer, but is forming the URL in the error message > by string concatenation with "http", which is not critical but should still > be fixed. > 3. It's relying on repo1 to redirect to https, which it seems to do; but > shouldn't be required since this leaves the connection vulnerable to MITM. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MRESOLVER-52) https for artifact resolution
[ https://issues.apache.org/jira/browse/MRESOLVER-52?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16568287#comment-16568287 ] Elliotte Rusty Harold commented on MRESOLVER-52: This happened in my own program that depends on the Maven resolver library. That is, I was not using Maven directly. This PR has the current state of that code: https://github.com/GoogleCloudPlatform/cloud-opensource-java/pull/32 My own dependencies should be at or at most 0.0.1 version behind the current releases. I'm not sure if ~/.m2 applies in these circumstances. Either way it doesn't have any customizations. > https for artifact resolution > - > > Key: MRESOLVER-52 > URL: https://issues.apache.org/jira/browse/MRESOLVER-52 > Project: Maven Resolver > Issue Type: Bug > Components: resolver >Affects Versions: Maven Artifact Resolver 1.1.1 >Reporter: Elliotte Rusty Harold >Priority: Major > > Here's an exception I saw recently: > Caused by: org.eclipse.aether.transfer.ArtifactTransferException: Could not > transfer artifact com.google.auth:google-auth-library-credentials:pom:0.4.0 > from/to central (http://repo1.maven.org/maven2/): repo1.maven.org: nodename > nor servname provided, or not known > The exception is probably a glitch in my network or DNS. Not resolver's fault > and no big deal. However the message surprised me. Why > *http*://repo1.maven.org/maven2/ and not *https*://repo1.maven.org/maven2/? > One of three things is likely happening here: > 1. Resolver is really using http instead of https to transfer artifacts. This > is a major issue, and should be fixed. > 2. It's using https to transfer, but is forming the URL in the error message > by string concatenation with "http", which is not critical but should still > be fixed. > 3. It's relying on repo1 to redirect to https, which it seems to do; but > shouldn't be required since this leaves the connection vulnerable to MITM. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MRESOLVER-52) https for artifact resolution
[ https://issues.apache.org/jira/browse/MRESOLVER-52?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16568191#comment-16568191 ] Robert Scholte commented on MRESOLVER-52: - Which version of Maven are you using? Do have customized settings.xml (either in user.home/.m2/ or maven.home/conf ) where you have specified the repository URL? Did you see this during the start of Maven or when some plugin kicked in (which one)? > https for artifact resolution > - > > Key: MRESOLVER-52 > URL: https://issues.apache.org/jira/browse/MRESOLVER-52 > Project: Maven Resolver > Issue Type: Bug > Components: resolver >Affects Versions: Maven Artifact Resolver 1.1.1 >Reporter: Elliotte Rusty Harold >Priority: Major > > Here's an exception I saw recently: > Caused by: org.eclipse.aether.transfer.ArtifactTransferException: Could not > transfer artifact com.google.auth:google-auth-library-credentials:pom:0.4.0 > from/to central (http://repo1.maven.org/maven2/): repo1.maven.org: nodename > nor servname provided, or not known > The exception is probably a glitch in my network or DNS. Not resolver's fault > and no big deal. However the message surprised me. Why > *http*://repo1.maven.org/maven2/ and not *https*://repo1.maven.org/maven2/? > One of three things is likely happening here: > 1. Resolver is really using http instead of https to transfer artifacts. This > is a major issue, and should be fixed. > 2. It's using https to transfer, but is forming the URL in the error message > by string concatenation with "http", which is not critical but should still > be fixed. > 3. It's relying on repo1 to redirect to https, which it seems to do; but > shouldn't be required since this leaves the connection vulnerable to MITM. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
