aurora-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Chu-Carroll <mchucarr...@apache.org>
Subject Re: [DISCUSS] Build security
Date Wed, 30 Jul 2014 16:12:21 GMT
+1



On Wed, Jul 30, 2014 at 12:10 PM, Kevin Sweeney <kevints@apache.org> wrote:

> Hi all,
>
> Recently in the news there has been a lot of controversy regarding Maven
> Central's lack of HTTPS support (without a donation for an access key which
> isn't redistributable, see [1], [2], [3] for context). While Sonatype plans
> to deploy HTTPS for all fix it there is an exploit tool in the wild.
> JCenter is an alternate Maven Central mirror that contains the dependencies
> we currently get from Maven Central. It allows free HTTPS access.
>
> I propose we immediately accept my patch [4] to switch to JCenter over
> HTTPS, buying us an immediate mitigation to the exploit tool in the wild.
> Longer-term we can switch to checksum-pinning our dependencies [5], which
> will allow us to use any Maven mirror as long as we trust our git origin
> servers and committers.
>
> Though it wasn't called out in the press, our Python dependencies are
> probably vulnerable to a similar issue and I've filed an issue [6] to
> investigate checksum-pinning there too.
>
> Please discuss, and if you agree please give a shipit to my review.
>
> Thanks,
> Kevin
>
> [1]
>
> http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/
> [2]
> http://blog.sonatype.com/2014/07/ssl_connectivity_for_central/#.U9kVOnVdXmE
> [3] https://twitter.com/bintray/status/494129921363824640
> [4] https://reviews.apache.org/r/24063/
> [5] https://issues.apache.org/jira/browse/AURORA-616
> [6] https://issues.apache.org/jira/browse/AURORA-618
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message