accumulo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <josh.el...@gmail.com>
Subject Re: Update Maven requirements to handle HTTPS?
Date Mon, 18 Aug 2014 14:41:21 GMT
Yes - exactly.

Doing it in master only may alleviate some of the worry, but I imagine 
it would still cause headache. For something that is already 
configurable by <3.2.3 by users who want it, I can't get behind forcing 
a newer version to just to get the default action changed.

On 8/18/14, 9:01 AM, Bill Havanki wrote:
> A user with Maven pre-3.2.3 can configure the Maven Central URL to use
> HTTPS by setting up a mirror in their settings.xml.
>
> http://maven.apache.org/guides/mini/guide-mirror-settings.html
>
> Josh, is your concern that folks won't be able to upgrade to 3.2.3?
>
>
> On Sun, Aug 17, 2014 at 5:41 PM, Josh Elser <josh.elser@gmail.com> wrote:
>
>> I see a massive headache incoming doing this. Is there a middle ground we
>> can encourage people to use that isn't going to break everyone downstream?
>>
>> Can we make some recommendations to clients about how to use HTTPS instead
>> of HTTP access to avoid the MITM attack (which I assume is the primary
>> reason for suggesting the update).
>>
>>
>> On 8/17/2014 4:57 PM, Sean Busbey wrote:
>>
>>> Now that Maven has released version 3.2.3 to default HTTPS access to maven
>>> central, anyone have an objection to updating our enforcer rules to
>>> require
>>> it?
>>>
>>> http://maven.apache.org/docs/3.2.3/release-notes.html
>>>
>>>
>
>

Mime
View raw message