aurora-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Sweeney <kevi...@apache.org>
Subject [DISCUSS] Build security
Date Wed, 30 Jul 2014 16:10:13 GMT
Hi all,

Recently in the news there has been a lot of controversy regarding Maven
Central's lack of HTTPS support (without a donation for an access key which
isn't redistributable, see [1], [2], [3] for context). While Sonatype plans
to deploy HTTPS for all fix it there is an exploit tool in the wild.
JCenter is an alternate Maven Central mirror that contains the dependencies
we currently get from Maven Central. It allows free HTTPS access.

I propose we immediately accept my patch [4] to switch to JCenter over
HTTPS, buying us an immediate mitigation to the exploit tool in the wild.
Longer-term we can switch to checksum-pinning our dependencies [5], which
will allow us to use any Maven mirror as long as we trust our git origin
servers and committers.

Though it wasn't called out in the press, our Python dependencies are
probably vulnerable to a similar issue and I've filed an issue [6] to
investigate checksum-pinning there too.

Please discuss, and if you agree please give a shipit to my review.

Thanks,
Kevin

[1]
http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/
[2]
http://blog.sonatype.com/2014/07/ssl_connectivity_for_central/#.U9kVOnVdXmE
[3] https://twitter.com/bintray/status/494129921363824640
[4] https://reviews.apache.org/r/24063/
[5] https://issues.apache.org/jira/browse/AURORA-616
[6] https://issues.apache.org/jira/browse/AURORA-618

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message