aurora-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jake Farrell <>
Subject Re: [DISCUSS] Build security
Date Wed, 30 Jul 2014 16:44:31 GMT

Aurora-620: Is this really a rampant issue causing jars to be widely
compromised, great blog post, but any documentation of this exploit
actually occurring. To me this seems like additions that are not needed
especially since maven central is going to ssl in the near future.

Aurora-616: The gradle witness plugin will test against the listed
dependencies in our build.gradle but it does not verify any sub
dependencies. It would be better for us to vendor cache all of our
dependencies if we are really worried about this.


On Wed, Jul 30, 2014 at 12:10 PM, Kevin Sweeney <> wrote:

> Hi all,
> Recently in the news there has been a lot of controversy regarding Maven
> Central's lack of HTTPS support (without a donation for an access key which
> isn't redistributable, see [1], [2], [3] for context). While Sonatype plans
> to deploy HTTPS for all fix it there is an exploit tool in the wild.
> JCenter is an alternate Maven Central mirror that contains the dependencies
> we currently get from Maven Central. It allows free HTTPS access.
> I propose we immediately accept my patch [4] to switch to JCenter over
> HTTPS, buying us an immediate mitigation to the exploit tool in the wild.
> Longer-term we can switch to checksum-pinning our dependencies [5], which
> will allow us to use any Maven mirror as long as we trust our git origin
> servers and committers.
> Though it wasn't called out in the press, our Python dependencies are
> probably vulnerable to a similar issue and I've filed an issue [6] to
> investigate checksum-pinning there too.
> Please discuss, and if you agree please give a shipit to my review.
> Thanks,
> Kevin
> [1]
> [2]
> [3]
> [4]
> [5]
> [6]

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message